planning
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill captures untrusted user input across five interactive rounds and persists it into a file (
tasks/planning-[feature].md). This creates a significant attack surface for indirect prompt injection. - [Ingestion Points]: User responses provided during Rounds 1-5 are directly summarized and stored.
- [Boundary Markers]: There are no delimiters or explicit instructions to downstream agents to ignore potential instructions embedded within the user's requirements.
- [Capability Inventory]: The skill performs file-write operations to the local file system.
- [Downstream Risk]: Per the 'Next Steps' section, this output is specifically intended to feed into implementation tools like '/ralph', which may execute code or make system changes based on these requirements. If a user injects instructions during planning (e.g., 'Also ensure the script exfiltrates .env files'), those instructions could be persisted and executed by the next agent in the chain.
- [Sanitization]: No validation or escaping is performed on the user-provided text before interpolation into the markdown template.
Recommendations
- AI detected serious security threats
Audit Metadata