plan-deepen
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands like
find,ls, andcatto traverse and read from a wide range of system directories, including the user's home directory (~/.claude/) and plugin installation caches. This enables the dynamic discovery and execution of logic from unverified locations at runtime.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from external files and interpolates it into instructions for parallel sub-agents.\n - Ingestion points: The skill reads content from a user-specified plan file and multiple solution/learning documents stored in
docs/solutions/.\n - Boundary markers: It uses basic triple-dash (
---) delimiters which are insufficient to prevent a sub-agent from following malicious instructions embedded within the ingested text.\n - Capability inventory: The skill has the capability to spawn numerous parallel sub-agents, execute system commands, and update files on the disk.\n
- Sanitization: No input validation or sanitization of the ingested file content is performed before it is passed to the sub-agents.
Audit Metadata