plan-interviewer
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests untrusted data from the local project environment without proper isolation.
- Ingestion points: The 'artifact-reader-agent' and 'codebase-scanner-agent' read files such as README.md, .agents/product-context.md, and codebase configuration files (e.g., package.json).
- Boundary markers: The instructions for these agents do not include explicit delimiters or 'ignore embedded instructions' warnings to separate the ingested file content from the agent's core logic.
- Capability inventory: The orchestrator facilitates interactive questioning via 'AskUserQuestion' and performs file-system writes to generate the specification at '.agents/spec.md'.
- Sanitization: There is no documented evidence of escaping or validating the content of scanned files before they are interpolated into the synthesis and interviewer prompts.
Audit Metadata