implement-refactor
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute validation commands (
claude plugin validate) and modify file system permissions (chmod +x script.sh) as part of the plugin verification process. - Evidence: Found in 'Plugin Validation Requirements' and 'Hook Configuration Validation' sections.
- [REMOTE_CODE_EXECUTION]: Employs dynamic agent routing where the
subagent_typeis determined at runtime from theAgentfield within a task file. This facilitates the dynamic loading and execution of agents based on external or user-provided file content. - Evidence:
Agent(subagent_type="{task.agent}", ...)in the 'Launch Strategy' section. - [DATA_EXFILTRATION]: No sensitive data harvesting or external transmission patterns were detected. The skill's operations are confined to the local project structure and configured agent paths.
- [PROMPT_INJECTION]: While the skill contains strong instructional markers like 'IMPORTANT' and 'CRITICAL', these are used for operational guidance and do not match patterns for bypassing safety filters or overriding system instructions.
- [INDIRECT_PROMPT_INJECTION]: The skill processes task files and design specifications that could contain untrusted data if provided by external sources. This content directly influences agent routing and orchestration logic.
- Ingestion points: Reads markdown task files from
.claude/plan/and associated design specs. - Boundary markers: The skill does not define explicit delimiters or warnings to ignore instructions embedded within the processed task files.
- Capability inventory: Can launch sub-agents with custom prompts, execute other skills, and run shell commands via validation workflows.
- Sanitization: No sanitization or validation of the 'Agent' field or task descriptions is performed before they are used to launch sub-agents.
Audit Metadata