executing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core function is to read and execute instructions from a plan file that may contain untrusted data.
- Ingestion points: Step 1 involves reading a plan file from the workspace.
- Boundary markers: No delimiters or specific safety instructions are provided to the agent to distinguish the plan instructions from its own system boundaries.
- Capability inventory: The skill allows the agent to execute implementation steps and run verification routines which typically involve shell command execution and file system modifications in Step 2.
- Sanitization: The skill relies on the agent to review the plan critically but does not implement programmatic sanitization or validation of the plan content before execution.
Audit Metadata