parallel-task
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection through the parsing of external plan files.
- Ingestion points: The skill reads Markdown plan files provided by the user or found in the repository (e.g.,
plan.mdin Step 2). - Boundary markers: There are no boundary markers or delimiters used when interpolating plan content (Description, Acceptance Criteria, Validation) into the subagent prompt template.
- Capability inventory: Subagents are explicitly instructed to 'Examine and explore... all relevant files', 'Implement changes for all acceptance criteria', and 'Run validation'. This provides a high-privilege execution environment for injected instructions.
- Sanitization: No sanitization or validation of the plan content is performed before it is used to drive subagent behavior. An attacker-controlled plan could include instructions to exfiltrate data, delete files, or inject backdoors under the guise of 'Acceptance Criteria'.
Recommendations
- AI detected serious security threats
Audit Metadata