plan
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Step 4b directs the agent to use the 'find-skills' utility to search for and install new skills autonomously when domain gaps are identified, which involves downloading code from external sources without a pre-defined whitelist.
- [REMOTE_CODE_EXECUTION]: The skill autonomously installs and invokes discovered skills to provide domain guidance, representing the execution of external code at runtime.
- [COMMAND_EXECUTION]: The skill uses the 'noodle' CLI to emit 'stage_yield' events and signal task completion in non-interactive environments (Step 8).
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. 1. Ingestion points: Project documentation (brain/principles.md) and existing source code explored via subagents. 2. Boundary markers: None; the skill does not use delimiters or instructions to ignore embedded commands in the processed data. 3. Capability inventory: File system writes to 'brain/plans/', session event emission via the 'noodle' CLI, and autonomous skill installation. 4. Sanitization: No sanitization or filtering of the ingested codebase content is specified before the planning phase.
Audit Metadata