execute-plan
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external content (markdown files in the
plans/directory) and instructs the agent to 'Execute all actions required to complete the task'. This creates a significant attack surface where instructions embedded in the file can hijack the agent's capabilities. There are no boundary markers or sanitization steps defined. - Prompt Injection (HIGH): The 'Commitment to Completion' section forces the agent to recite a pledge ('I will execute this plan to completion') and mandates that 'all tasks in the plan must be completed'. This is a behavioral override designed to bypass the agent's refusal logic or safety filters when encountering tasks inside the untrusted file.
- Command Execution (HIGH): The broad instruction to execute any action required to complete a task grants the agent permission to run shell commands or scripts based entirely on the contents of the external plan file.
Recommendations
- AI detected serious security threats
Audit Metadata