plan-review-gate
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to its core function of reading and processing externally provided or generated plan files.
- Ingestion points: The skill reads 'plan_file_path' and 'user's original request' content directly into the agent's context for evaluation.
- Boundary markers: There are no explicit instructions or delimiters (e.g., XML tags or block quotes with 'ignore instructions' warnings) to prevent the LLM from following instructions embedded within the plan being reviewed.
- Capability inventory: The skill allows access to powerful tools including
Bash,Read,Grep, andGlob, which could be misused if the LLM obeys instructions contained within a malicious plan. - Sanitization: The workflow lacks any sanitization or validation of the plan content prior to it being processed by the LLM for the review checks.
Audit Metadata