plan-flow
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/findings_to_plan.pyexecutes the local shell scriptscripts/redundancy_scan.shusing thesubprocess.runfunction. The execution uses a list-based argument structure which prevents shell injection. The script is used to search the local codebase usingripgrepfor structural patterns. - [DATA_EXFILTRATION]: The skill performs repository-wide searches and reads code files to generate its analysis. This data processing is entirely local, and there are no signs of network requests, external data transfers, or hardcoded credentials.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted repository content during its analysis phase.
- Ingestion points:
scripts/redundancy_scan.sh(viarg) andscripts/findings_to_plan.py(via file reading and output parsing). - Boundary markers: The skill does not implement specific delimiters or 'ignore' instructions when processing the names of symbols or snippets of code from the files.
- Capability inventory: The skill has the ability to execute local shell scripts via
subprocess.runand write plan files to the local disk usingPath.write_text. - Sanitization: The skill uses regular expressions to extract specific architectural symbols (structs, enums, traits) rather than interpreting the entire file content as instructions, which reduces the potential impact of malicious payloads in the analyzed source code.
Audit Metadata