writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill functions as a generator for executable plans based on untrusted user input, creating a direct path for malicious instructions to influence system operations.
- Ingestion points: The skill ingests user-provided 'specs' or 'requirements' as the primary data source for plan generation, as noted in the file description.
- Boundary markers: There are no defined delimiters or instructions to treat input data as non-executable text, making it possible for the agent to mistake embedded user instructions for legitimate planning tasks.
- Capability inventory: The generated plans explicitly include shell commands (
git,pytest) and file system modifications. The skill specifically mandates a handoff to high-privilege sub-skills (devops-skills:executing-plansanddevops-skills:subagent-driven-development) which possess the capability to execute these instructions. - Sanitization: There is no evidence of filtering, escaping, or validation of the input spec before it is interpolated into the markdown plan templates.
Recommendations
- AI detected serious security threats
Audit Metadata