writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill uses coercive instructions such as 'REQUIRED SUB-SKILL' and 'Every plan MUST start with this header' to force the agent to follow a rigid workflow and invoke external execution tools, which can be exploited if the initial agent context is compromised.
- Indirect Prompt Injection (HIGH): The skill's primary function is to ingest untrusted 'specs or requirements' and convert them into actionable implementation plans. This creates a significant vulnerability surface where a malicious specification can cause the agent to generate a plan that includes harmful code or destructive commands.
- Ingestion points: The 'spec or requirements' provided by the user as input to the planning process.
- Boundary markers: Absent; the skill does not use delimiters or instructions to prevent the agent from obeying instructions embedded within the processed requirements.
- Capability inventory: The skill generates Python code (Step 1/3) and shell commands (Step 2/4/5) involving 'pytest' and 'git', which are then saved to the filesystem ('docs/plans/').
- Sanitization: Absent; there is no validation or escaping of the user-provided requirements before they are interpolated into the generated plan document.
- Command Execution (MEDIUM): The skill templates several shell commands for testing and git operations. If the input requirements influence variable parts of these commands, such as file paths or feature names, it could lead to command injection within the local development environment.
Recommendations
- AI detected serious security threats
Audit Metadata