plan
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill includes a mechanism in Step 4 to use a
find-skillstool to search for and install external agent skills into the project environment when a specific domain is not covered by existing local skills. - [REMOTE_CODE_EXECUTION]: After installing external skills, the instructions mandate 'invoking' them and incorporating their output into the plan, which constitutes the execution of logic/instructions from an unverified external source.
- [COMMAND_EXECUTION]: The skill performs active file system modifications, including creating directories and markdown files within the
brain/plans/directory, and utilizes aTasktool to spawn subagents for codebase exploration. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted data from the local codebase during the 'Explore Context' and 'Load Principles' steps. Evidence:
- Ingestion points:
brain/principles.mdand any project files discovered by subagents in Step 3. - Boundary markers: None explicitly defined to separate project data from agent instructions.
- Capability inventory: File writing (
brain/plans/), skill installation (find-skills), and subagent spawning. - Sanitization: No sanitization or validation of the content read from the codebase is specified before it is used to generate plan content.
Audit Metadata