plan-work
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to analyze and ingest untrusted data from repository files. Ingestion points: Reads repository files (README.md, docs/, AGENTS.md) and processes output from ripgrep (rg) and git commands as specified in SKILL.md. Boundary markers: Absent; the workflow does not use delimiters or instructions to ignore embedded commands within the analyzed files. Capability inventory: Accesses files and runs repository analysis commands (rg, git log, git blame). Sanitization: Absent; data from the repo is interpolated directly into the analysis context. Mitigation: The workflow includes a mandatory Q&A gate and uses a template (references/plan-template.md), ensuring human review before any implementation steps are finalized.
- [Data Exposure & Exfiltration] (SAFE): The skill focuses on local repository research. It does not contain network request capabilities or patterns for accessing sensitive system-level credentials.
- [Command Execution] (SAFE): Command usage is restricted to standard discovery tools (rg, git). No arbitrary shell execution or high-privilege operations are present.
Audit Metadata