planner
Fail
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npx -yto automatically download and run the@steipete/oraclepackage from the public NPM registry without user confirmation. - [REMOTE_CODE_EXECUTION]: By invoking
npx, the skill executes arbitrary code from a remote package repository at runtime. - [COMMAND_EXECUTION]: The skill performs several shell operations, including directory creation (
mkdir -p), file writing via heredocs (cat > ...), and execution of external CLI tools. - [DATA_EXFILTRATION]: The skill is designed to upload the contents of the
src/directory to an external service via the@steipete/oracletool for planning purposes. This involves sending proprietary or sensitive source code to a third-party endpoint. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8). It reads existing codebase files and incorporates their content into instructions sent to an external LLM (Oracle), creating a risk that malicious code comments or strings could manipulate the planning output.
- Ingestion points: Reads application source code from the
src/directory. - Boundary markers: No delimiters or instructions are provided to the planning model to treat ingested code as untrusted data.
- Capability inventory: Shell execution via
npx, file system writes, and network transmission of data. - Sanitization: No validation or sanitization is performed on the code content before it is interpolated into the planning prompt.
Recommendations
- AI detected serious security threats
Audit Metadata