executing-plans
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill exhibits an Indirect Prompt Injection surface. It is designed to ingest and strictly follow instructions from external markdown files which could be modified by untrusted sources.
- Ingestion points: Files located at
.claude/plans/<plan-id>/plan.mdandbriefings/task-NN.mdare read and their instructions are executed. - Boundary markers: None. The instructions state to 'Follow each step exactly' without providing delimiters or warnings to ignore embedded malicious instructions.
- Capability inventory: The skill has the capability to read files, execute tasks (shell commands), and delete directories (
rm -rf). - Sanitization: No sanitization or validation of the plan content is mentioned before the agent begins implementation.
- [COMMAND_EXECUTION] (LOW): The skill executes a destructive shell command (
rm -rf) to clean up plan directories. While this is scoped to the.claude/plans/path, it represents a risk if the directory identifier is manipulated to target other parts of the file system.
Audit Metadata