plan-manager
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a significant attack surface by reading and processing markdown files and YAML frontmatter that may contain content from untrusted external sources. * Ingestion points: Reads files from
.claude/plans/active/,.claude/plans/archive/, and.claude/context/via commands likelist-active,update-step, andupdate-indexes. * Boundary markers: Absent. There are no specified delimiters or system instructions to ignore commands embedded within the documents. * Capability inventory: File system write/move access and execution of the shell script.claude/bin/update-indexes.sh. * Sanitization: Absent. The skill extracts metadata directly from frontmatter and headers without validation. - Command Execution (MEDIUM): The
update-indexescommand is implemented via a shell script at.claude/bin/update-indexes.sh. While intended for maintenance, executing local scripts that process potentially poisoned file indexes poses a risk of exploitation.
Recommendations
- AI detected serious security threats
Audit Metadata