plan
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [DATA_EXFILTRATION]: The skill uses a Read tool to access files from user-specified paths. While intended for processing plan documents, this capability could be used to read sensitive files if a malicious path is provided.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted input from a file to automatically generate metadata (title, summary, tags, and plan type).\n
- Ingestion points: The
file_pathargument in/plan createprovides the source content which the agent parses.\n - Boundary markers: Absent. The skill does not define delimiters or use instructions to isolate the plan content from the agent's parsing logic during extraction steps.\n
- Capability inventory: The skill utilizes
Read(to access the source),Write(to save the plan to~/.claude/plans/), andkb_upsert_plan(to ingest the metadata and content into a database).\n - Sanitization: Metadata extraction depends on keyword matching and regex, but the
raw_contentandsummaryare passed to the database tool without sanitization or escaping.
Audit Metadata