executing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and executes instructions from an external plan file.
- Ingestion points: The skill reads a plan file in Step 1 ("read_file plan file") or via the
--planargument in the Conductor Integration autonomous mode. - Boundary markers: The skill lacks explicit delimiters or instructions to treat the plan content as untrusted data or to ignore embedded agent instructions within the plan.
- Capability inventory: The agent is instructed to "Follow each step exactly", which includes performing file modifications and running verifications (commands) across all scripts associated with the plan.
- Sanitization: No validation or sanitization of the plan's content is performed before execution.
- [COMMAND_EXECUTION]: The skill is designed to facilitate the execution of arbitrary tasks described in a text file, which involves running shell commands and modifying the workspace.
- Evidence: Step 2 ("Execute Batch") and the autonomous mode instruct the agent to execute all tasks in the plan exactly as specified.
Audit Metadata