executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest implementation plans from external files and use them to drive sub-agent behavior. This creates a critical vulnerability surface where an attacker-controlled plan can hijack the agent's logic.
- Ingestion points: The skill reads tasks and instructions from a
plan-filespecified at runtime. - Boundary markers: No specific boundary markers or 'ignore embedded instructions' warnings are utilized when processing the plan content.
- Capability inventory: The skill can spawn sub-agents, create/modify git branches, execute arbitrary test suites, perform network requests via
curl, and commit code changes to a repository. - Sanitization: No validation or sanitization of the plan file's content is described.
- Command Execution (LOW): The skill explicitly uses shell commands for development workflows. This is expected behavior but increases the impact of potential injection attacks.
- Evidence: Instructions include the use of
gitfor branching and committing, as well ascurlfor manual verification of API endpoints.
Recommendations
- AI detected serious security threats
Audit Metadata