planning
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection surface (Category 8).
- Ingestion points:
references/research-phase.mdinstructs the agent to use theghcommand to read GitHub Pull Requests, Issues, and Discussions, andrepomix --remoteto ingest content from arbitrary GitHub repositories. - Boundary markers: No delimiters or 'ignore embedded instructions' warnings are defined for the external data ingested.
- Capability inventory: The skill generates detailed 'Phase' files in the
./plans/directory. According toreferences/plan-organization.md, these files specify 'Related Code Files' (to modify, create, or delete) and 'Implementation Steps' with 'Specific instructions'. - Sanitization: No sanitization or validation of external content is mentioned. An attacker could embed instructions in a GitHub issue or documentation file that, when processed by this skill, result in a plan that creates backdoors or deletes critical data.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill explicitly uses
repomix --remote <github-repo-url>to download and process remote repository content (references/research-phase.md). This constitutes the processing of untrusted remote data, which serves as the primary vector for the identified injection vulnerability. - DATA_EXFILTRATION (LOW): In
references/codebase-understanding.md, the skill directs the agent to 'Analyze dotenv files and configuration'. While this is contextually relevant for technical planning, it creates a risk of accidental exposure of sensitive environment variables if the resulting plans are shared or if the agent provides them to an untrusted researcher agent.
Recommendations
- AI detected serious security threats
Audit Metadata