detail
Fail
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill uses mandatory instructions in the tool_restrictions and tool_restrictions_reminder sections to override default AI behavior, banning the use of built-in planning tools (EnterPlanMode and ExitPlanMode) and substituting them with the skill's own procedural instructions. It also treats external design specifications as a source of truth without establishing boundary markers. Ingestion points: docs/arc/specs/-design.md, docs/plans/-design.md, and documentation from sub-agents. Boundary markers: None. Capability inventory: file-write, sub-agent spawning, and terminal command execution (git, pnpm). Sanitization: None.
- [COMMAND_EXECUTION]: The skill directs the agent to execute shell commands via package managers (pnpm, npm, yarn) and git. It explicitly mandates: 'Never ask user to run CLI commands -- agent does it,' which bypasses human-in-the-loop verification for terminal operations.
- [EXTERNAL_DOWNLOADS]: The skill retrieves design context from Figma via tool calls and documentation from external searches using sub-agents. It also dispatches logic from an external reviewer agent located at agents/workflow/plan-document-reviewer.md.
Recommendations
- AI detected serious security threats
Audit Metadata