plan
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to ingest and process untrusted data from the repository (e.g., README.md, docs/) to generate plan content. This creates a surface where embedded instructions could influence the agent's behavior. \n
- Ingestion points: The skill instructions in
SKILL.mdprompt the agent to readREADME.md,docs/,CONTRIBUTING.md, and other files for context. \n - Boundary markers: No explicit delimiters are used to separate untrusted repository content from the agent's instructions. \n
- Capability inventory: The skill can read, write, and delete files within the
~/.codex/plansdirectory. \n - Sanitization: The skill implements a strict regex (
^[a-z0-9]+(-[a-z0-9]+)*$) for filenames to prevent path traversal and ensures metadata is single-line to prevent YAML injection. \n- Data Exposure (LOW): Thecreate_plan.pyscript allows reading any local file through the--body-fileargument. While restricted to the agent's permissions, a prompt injection attack could trick the agent into copying sensitive configuration files or keys into a plan file within the localized plans directory.
Audit Metadata