agent-orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection. The skill instructs agents to read and follow implementation instructions ('plans') from files like
thoughts/shared/plans/*.md. These files are treated as trusted input sources for the agent's logic.\n - Ingestion points: Local plan files and the Artifact Index.\n
- Boundary markers: Absent. The instructions do not separate the plan data from the agent's operational instructions.\n
- Capability inventory: The skill explicitly empowers agents to 'Make edits', 'Create Shell wrapper', 'Create Python script', and 'Register in settings.json'.\n
- Sanitization: Absent. There is no verification of the plan's content before the agent acts on it.\n- [COMMAND_EXECUTION] (HIGH): The skill facilitates arbitrary command execution through sub-agents tasked with creating shell/python scripts and running tests. This significantly escalates the impact of a successful prompt injection.\n- [DYNAMIC_EXECUTION] (MEDIUM): The skill promotes a pattern of 'Script generation + execution' by creating TypeScript hooks, Python scripts, and Shell wrappers based on external plan content. This runtime generation of executable content is inherently risky when driven by untrusted data.
Recommendations
- AI detected serious security threats
Audit Metadata