planning-agent
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill processes untrusted 'Conversation context' to create implementation plans used by the '/implement_plan' command, creating a high-integrity injection surface where malicious requirements can become executable tasks. (Evidence Chain: 1. Ingestion: Conversation context and Continuity ledger; 2. Boundary markers: Absent; 3. Capability inventory: Bash, Task, Read, Write; 4. Sanitization: Absent).
- COMMAND_EXECUTION (MEDIUM): The skill policy in SKILL.v6.md permits 'Bash' as a primary action, and the implementation template in SKILL.md suggests 'uv run' commands, allowing a prompt injection attack to insert arbitrary shell commands into the planning output.
- EXTERNAL_DOWNLOADS (LOW): The planning template includes 'uv run' as a success criterion, which facilitates downloading and running packages from remote registries. (Evidence: SKILL.md Step 4)
Recommendations
- AI detected serious security threats
Audit Metadata