implement_plan_micro
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect prompt injection through plan ingestion. It reads technical plans and interpolates them into sub-agent prompts without boundary markers or sanitization. 1. Ingestion points: 'thoughts/shared/plans'. 2. Boundary markers: Absent in the sub-agent prompt template. 3. Capability inventory: Spawning sub-agents (spawn) and file modification (files_modified[]). 4. Sanitization: Absent.
- [Data Exposure & Exfiltration] (HIGH): The skill logic enforces an obligation to read any file mentioned in a plan ('O(read_fully(f)) <- mentioned_in_plan(f)'). This can be exploited by a malicious plan to read and expose sensitive files into the agent's context and handoff logs.
Recommendations
- AI detected serious security threats
Audit Metadata