create-plans
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): An attack surface for indirect prompt injection exists because the skill ingests potentially untrusted technical data from web research into 'FINDINGS.md' (defined in 'workflows/research-phase.md'), which then informs the generation of executable plans in 'PLAN.md'. Evidence Chain: 1. Ingestion points: '.planning/phases/XX-name/FINDINGS.md' sourced from 'WebSearch/WebFetch' tools. 2. Boundary markers: XML-style tags such as , , and in 'PLAN.md' and templates. 3. Capability inventory: Shell execution (git, mkdir, find, wc) and general file manipulation. 4. Sanitization: Mandatory human-in-the-loop review gates defined in 'references/user-gates.md' that require explicit user approval before proceeding at critical steps.
- COMMAND_EXECUTION (SAFE): The skill utilizes standard bash commands for project management, such as 'git push' for version control, 'find' and 'wc' for codebase statistics, and 'mkdir' for directory organization. These commands are used for their intended purposes within a developer tool context and are transparently defined in the workflow files.
- EXTERNAL_DOWNLOADS (SAFE): The 'research-phase.md' workflow explicitly triggers external searches and fetching of documentation to inform project planning. This is an intended core capability and is governed by quality control guidelines in 'references/research-pitfalls.md'.
Audit Metadata