ensure-complete
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes content from user-specified task files and interpolates it directly into prompts for sub-agents (such as plugin-assessor or python-code-reviewer). This creates an indirect prompt injection surface where a malicious task file could influence sub-agent behavior.
- Ingestion points: The $ARGUMENTS parameter representing the task file path and the content of the .claude/plan/REFACTOR-PLAN.md file.
- Boundary markers: Uses XML-style tags like <task_file> and to delineate data, but lacks explicit 'ignore instructions' warnings to the sub-agents to prevent them from following commands inside those tags.
- Capability inventory: The skill launches multiple sub-agents with broad prompts and has the ability to write to project configuration files and generate new task files.
- Sanitization: No validation or sanitization of the input file content is performed before interpolation.
- [COMMAND_EXECUTION]: The skill executes the 'claude plugin validate' shell command to perform structural checks on the plugin directory.
Audit Metadata