plan
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill interpolates user-provided
$ARGUMENTSdirectly into the instructional prompt. Without explicit boundary markers (like XML tags or delimiters) or instructions to ignore embedded commands, a malicious user could provide a request that overrides the agent's core instructions. - [COMMAND_EXECUTION]: The skill instructs the agent to write generated plans to the local file system at
$TMPDIR/plans/. While writing to a temporary directory is common, this capability could be exploited if an injection attack influences the filename or content, potentially leading to file overwrites or the creation of malicious scripts in the temporary space. - [DATA_EXPOSURE]: The skill contains a rule to "search for and read ALL relevant code for the task before making changes." This functionality, while necessary for its purpose, could be leveraged by a malicious prompt to exfiltrate sensitive local files (like
.envor SSH keys) if the agent is not properly constrained.
Audit Metadata