team-implement-plan-full
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It reads a plan file path from user input ($0) and interpolates the contents of that file directly into the system prompts of subagents (the 'reviewer' and 'implementer' tasks).
- Ingestion points: The skill reads the plan file in Phase 1a using the
Read($0)command inSKILL.md. - Boundary markers: Absent. The plan content and phase details are inserted directly into prompts (e.g.,
{full plan content},{phase N details}) without delimiters or instructions for the subagents to ignore embedded commands. - Capability inventory: Subagents have the ability to read and write files, and execute shell commands (build, lint, test) on the host system.
- Sanitization: No validation or sanitization of the input plan content is performed before interpolation into agent prompts.
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary shell commands. It instructs subagents to run 'exit condition' commands (such as build, lint, and test scripts) that are defined within the untrusted plan file. If a malicious plan is provided, it could lead to the execution of harmful code on the host environment.
Audit Metadata