rpi-plan
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a local Python script to collect repository information via shell commands. The script
scripts/metadata.pyusessubprocess.run()to callgit remote,git rev-parse, andgit branchto populate plan metadata. These commands are hardcoded and do not process external user input, which mitigates injection risks. - [PROMPT_INJECTION]: The skill processes external files that could contain malicious instructions, creating a surface for indirect prompt injection. 1. Ingestion points: Reads user-referenced files and research documents from the repository. 2. Boundary markers: Instructions mandate reading files fully and trusting research documents as the source of truth. 3. Capability inventory: The agent has access to file-reading tools, file-writing capabilities, and local command execution via
metadata.py. 4. Sanitization: No logic is present to filter or sanitize instructions embedded within the analyzed documents.
Audit Metadata