executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is explicitly designed to ingest and execute instructions from an external file, creating a primary attack vector for malicious actors.
- Ingestion points: The skill begins by reading an external 'plan file' (SKILL.md, Step 1.1).
- Boundary markers: Absent. There are no instructions to the agent to distinguish between the skill's own logic and potentially malicious instructions contained within the plan file.
- Capability inventory: The skill mandates the agent to "Follow each step exactly" (Step 2.2) and execute these steps in batches, which in an AI agent context typically grants the power to modify files, run code, or access the network.
- Sanitization: Absent. The skill lacks any mechanism to validate the source of the plan file or sanitize its contents before execution.
- [Command Execution] (MEDIUM): While no specific shell commands are hardcoded, the instruction to "Follow each step exactly" from an arbitrary plan file implicitly authorizes the execution of any commands or scripts defined in that plan.
Recommendations
- AI detected serious security threats
Audit Metadata