plan-execution
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill defines cleanup procedures using
rm -rf .claude/plans/<plan-id>/inreferences/execution-modes.mdandreferences/guardrails.md. The<plan-id>variable is derived from user input or file system paths, creating a risk of path traversal (e.g., using../../) that could lead to arbitrary file deletion if not properly validated. - [COMMAND_EXECUTION]: In
prompts/code-quality-reviewer.md, the skill instructs subagents to execute a Node.js command:node -e "console.log(require('<pkg>/package.json').peerDependencies)". Since<pkg>is a placeholder filled from task definitions in potentially untrusted plans, it is vulnerable to command injection if a malicious package name is provided. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it orchestrates agents based on instructions found in external files.
- Ingestion points: The skill reads
manifest.json,plan.md, and briefing files (e.g.,briefings/task-NN.md) as documented inreferences/execution-modes.mdto drive the workflow. - Boundary markers: While the skill mentions token budgets and return format constraints for agent outputs, it lacks explicit delimiters or instructions to ignore embedded commands within the ingested plan files.
- Capability inventory: The skill possesses capabilities for file system deletion (
rm -rf), code execution (node -e), and version control operations (git branch). - Sanitization: There is no evidence of sanitization or validation for variables like
<plan-id>or<pkg>before they are interpolated into shell commands.
Audit Metadata