executing-plans
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill serves as an orchestrator that ingests external implementation plans and incorporates their instructions into prompts for sub-agents. This design pattern establishes a surface for indirect prompt injection (Category 8).
- Ingestion points: Untrusted implementation plans (referenced as plan-file) are used to define the implementation steps.
- Boundary markers: The skill does not implement delimiters or explicit 'ignore embedded instructions' warnings when passing plan data to sub-agents.
- Capability inventory: The orchestration environment and its sub-agents have extensive capabilities, including reading/writing files, executing shell commands (git, test runners, CLI tools), and performing network requests (curl).
- Sanitization: No sanitization or validation of the implementation plan content is specified before interpolation.
- [COMMAND_EXECUTION]: The instructions direct the agent to execute various shell commands for environment setup, automated testing, and manual verification. This includes running test suites and using curl to interact with API endpoints, which is expected behavior for a development tool but represents a powerful execution context.
Audit Metadata