writing-plans
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (MEDIUM): The skill is susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted user specifications to generate executable-like implementation plans.
- Ingestion points: User-provided feature requirements and specifications used to populate the 'Specification' and 'Tasks' sections of the plan.
- Boundary markers: Absent. The skill provides no instructions or delimiters to help the agent distinguish between legitimate requirements and embedded malicious instructions.
- Capability inventory: The generated output includes shell commands for context loading (
read,glob) and task verification (npm test), providing a direct path from injected instructions to command generation. - Sanitization: Absent. There is no validation or filtering of user input before it is used to generate the plan's tasks and commands.
- [Command Execution] (LOW): The skill templates the use of shell commands for environment setup and verification. While standard for development workflows, this pattern encourages the automated generation of executable code, which increases the risk if the planning agent is misled by malicious input.
Audit Metadata