planner
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands (e.g.,
git checkout -b feature/{NNN}-{slug},mkdir -p backlog/plans/{NNN}-{slug}/contracts, andrm backlog/plans/YYYYMMDD-{slug}.md) using variables derived from user input ($ARGUMENTS). If the agent generates a feature 'slug' containing shell metacharacters (such as backticks, semicolons, or pipes) in response to a crafted user request, it could lead to arbitrary command execution on the host machine. - [PROMPT_INJECTION]: The skill processes untrusted user input ($ARGUMENTS) and incorporates it into file names and command variables, exposing an attack surface for indirect prompt injection.
- Ingestion points: The
$ARGUMENTSvariable inSKILL.mdis the entry point for untrusted data. - Boundary markers: The skill does not use delimiters or instructions to prevent the agent from following commands that might be embedded in the user's feature request.
- Capability inventory: The skill possesses the capability to execute shell commands and perform file system operations (write, move, and delete) across the project workspace.
- Sanitization: While the skill provides stylistic guidelines for the feature slug format (lowercase and hyphenated), it lacks code-level sanitization or shell-safe interpolation mechanisms to ensure the resulting string is safe for execution.
Audit Metadata