start-planning
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill executes multiple local shell scripts (
discovery.sh,write-session-state.sh,system-check.sh). While these appear to be internal workflow tools, they perform file system discovery and state management. - [PROMPT_INJECTION] (LOW): The
SKILL.mdfile contains instructions like 'CRITICAL: This guidance is mandatory' and 'ZERO OUTPUT RULE'. These are standard structural instructions for agent personas but match patterns used to constrain or override default behavior. - [DATA_EXFILTRATION] (SAFE): No evidence of network operations or exfiltration of sensitive files was detected. Network operations are not present in the provided scripts.
- [EXTERNAL_DOWNLOADS] (SAFE): No remote packages or external scripts are downloaded; all referenced scripts are local to the project directory.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes external Markdown and YAML files (
specification.md,plan.md) to drive its logic. - Ingestion points: Reads frontmatter and content from
docs/workflow/specification/anddocs/workflow/planning/viadiscovery.sh. - Boundary markers: None identified in the script or instructions to delimit untrusted file content from system instructions.
- Capability inventory: Uses
Bashto execute local scripts and saves session state viawrite-session-state.sh. - Sanitization: None identified; the skill parses
status,type, andformatfields directly from file frontmatter and uses them for routing logic.
Audit Metadata