executing-plans
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill is vulnerable to Indirect Prompt Injection because it is designed to ingest and execute instructions from an external, untrusted 'plan file'.
- Ingestion points: Step 1 requires the agent to read an external file containing an implementation plan.
- Boundary markers: No boundary markers or specific delimiters are used to separate the plan content from the agent's system instructions.
- Capability inventory: While not explicitly defined in the Markdown, the 'execute tasks' and 'implement' descriptions imply capabilities like file modification and command execution.
- Sanitization: No technical sanitization of the plan content is performed.
- Instructional Risk: The directive 'Follow each step exactly' in Step 2 increases the likelihood of executing malicious embedded instructions. However, this is partially mitigated by the requirement to 'Review critically' and the mandatory human-in-the-loop checkpoints ('Ready for feedback').
Audit Metadata