executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core function is to read an external plan file and execute its contents. This creates a direct path for malicious instructions embedded in a plan file to take control of the agent's actions.
- Ingestion point: Step 1, item 1: "Read plan file".
- Boundary markers: None. There are no instructions to ignore embedded commands or treat the content as data only.
- Capability inventory: Step 2, item 2: "Follow each step exactly" and item 3: "Run verifications". This implies the agent has the power to modify files and run shell commands based on external input.
- Sanitization: None. The skill explicitly tells the agent to "Follow each step exactly," which may override the agent's internal safety filters when processing the plan.
- Command Execution (MEDIUM): The instructions to "Follow each step exactly" and "Run verifications as specified" within an external plan suggest that the agent will execute arbitrary scripts or shell commands defined in that external file.
Recommendations
- AI detected serious security threats
Audit Metadata