explore
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of repository files that may contain adversarial content.\n
- Ingestion points: The skill reads
./plans/*.md, the codebase, architecture records, and README files.\n - Boundary markers: There are no markers or safety instructions to distinguish ingested file content from the skill's core protocol instructions.\n
- Capability inventory: Capability to read project files, write new plan files to
./plans/, and interact with the user via standard tools.\n - Sanitization: No sanitization is performed on file content before it is used to influence the agent's logic.\n
- Logic Override: The 'Rollback Notes' feature explicitly allows content from a file to take 'priority' and skip foundational discovery steps (detecting state, exploring codebase, searching docs), which could be exploited to bypass security or project constraints.
Audit Metadata