executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest and execute instructions from an external 'plan file'. This is a classic injection surface where malicious instructions embedded in the data (the plan) could lead to unauthorized actions.
- Ingestion points: Step 1 involves reading an external 'plan file'.
- Boundary markers: None are specified; the skill lacks delimiters or instructions to ignore embedded malicious commands within the plan.
- Capability inventory: The skill explicitly commands the agent to 'Follow each step exactly' and 'Run verifications as specified'. If the plan contains shell commands or malicious scripts under the guise of 'tasks' or 'verifications', the agent is instructed to execute them.
- Sanitization: There is no evidence of sanitization or validation of the plan content before execution.
- Remote/Command Execution (HIGH): By instructing the agent to 'Run verifications as specified' from an external file, the skill facilitates the execution of arbitrary commands or scripts defined by whoever controls the plan file. This effectively grants the external file the ability to execute code on the host system.
- Prompt Injection (MEDIUM): The instructions to 'Follow each step exactly' and 'Mark as completed' create a rigid execution flow that discourages the agent from questioning or applying safety filters to individual steps within the external plan.
Recommendations
- AI detected serious security threats
Audit Metadata