plan-plus
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted data from the local environment during its automatic context exploration phase.
- Ingestion points: Phase 0 (Context Exploration) automatically reads data from
AGENTS.md, the git history (git log), existing plan documents indocs/01-plan/, and the project configurationbkit.config.json. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' directives to prevent the agent from executing instructions found within these external files.
- Capability inventory: The skill has access to several management tools (
bkit_get_status,bkit_analyze_prompt,bkit_pdca_plan,bkit_complete_phase) and writes validated plan content back to the file system in thedocs/directory. - Sanitization: There is no mention of sanitization or structural validation for the content retrieved from the git log or project documents before it is integrated into the agent's context.
Audit Metadata