agent-planner
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted user input through the $TASK variable which is incorporated into the planning logic and execution hooks.
- Ingestion points: $TASK variable used in the 'pre' and 'post' hooks within the YAML frontmatter of SKILL.md.
- Boundary markers: Absent; there are no delimiters or instructions provided to the agent to ignore embedded instructions within the task input.
- Capability inventory: Access to 'memory_store' for state persistence and several 'mcp__claude-flow' tools for task orchestration and resource allocation.
- Sanitization: Absent; the input is interpolated directly into commands and processed by the planning logic without validation.
- [COMMAND_EXECUTION]: The YAML hooks execute shell-like commands that interpolate the $TASK variable directly.
- Evidence: Hooks in SKILL.md use
echo "... $TASK"andmemory_store "... $TASK". - Risk: If the host environment executing these hooks does not properly escape the $TASK string, it could allow for command injection (e.g., via backticks or subshell expansion) by a user providing a malicious task description.
Audit Metadata