executing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it executes instructions from an external file (docs/plan.md).
-
- Ingestion points: Implementation plans are read from local files as part of Step 1.
-
- Boundary markers: No technical delimiters or 'ignore' instructions are used to isolate the ingested plan content from the system prompt.
-
- Capability inventory: The agent can execute git commands, test suites (npm test, pytest), and invoke specialized sub-skills for task completion.
-
- Sanitization: Safety relies on the agent's instructions to 'critically review' the plan and report concerns to the user, rather than automated validation.
- [COMMAND_EXECUTION]: The skill allows for the execution of command-line tools based on the requirements of the provided plan. While intended for standard development tasks, this capability could be exploited if an attacker-controlled plan specifies malicious commands in the verification or implementation steps.
Audit Metadata