Skills
skills/laurigates/claude-plugins/blueprint-feature-tracker-status/Gen Agent Trust Hub

blueprint-feature-tracker-status

Fail

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • EXTERNAL_DOWNLOADS (CRITICAL): A security scanner detected a blacklisted malicious URL within the 'REQUIREMENTS.md' file. The skill is designed to parse this file and use it as a source of truth for tracking project status.
  • PROMPT_INJECTION (LOW): The skill exhibits an Indirect Prompt Injection surface (Category 8). It ingests data from 'feature-tracker.json' (which is derived from 'REQUIREMENTS.md') and interpolates it into prompts without sanitization. 1. Ingestion points: 'docs/blueprint/feature-tracker.json' via Read tool. 2. Boundary markers: None. 3. Capability inventory: Bash (jq), Read, AskUserQuestion. 4. Sanitization: None.
  • COMMAND_EXECUTION (LOW): The skill uses the Bash tool to run 'jq' queries on the project's tracker file. While the commands themselves are benign, they operate on data associated with a confirmed malicious resource.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 19, 2026, 01:34 AM