implementation-plan
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill exhibits a significant attack surface by taking arbitrary user input through
$ARGUMENTSand reading repository code. - Ingestion points: Untrusted data enters the context via the
$ARGUMENTSparameter and by reading existing project code (which could contain malicious instructions in a multi-user or untrusted repository scenario). - Boundary markers: There are no boundary markers or instructions to ignore embedded commands within the
$ARGUMENTSblock. - Capability inventory: The skill possesses the ability to read all local source code, perform web searches, and write new files (plans containing code) to the
ai/plans/directory. - Sanitization: No sanitization or validation of the input or the resulting plan is specified, allowing an attacker to potentially trick the agent into generating backdoored code or using web searches to exfiltrate information through query parameters.
Recommendations
- AI detected serious security threats
Audit Metadata