writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): This skill provides a significant surface for Indirect Prompt Injection (Category 8). It ingests untrusted 'specs or requirements' and transforms them into structured tasks. Because these tasks are passed to the 'executing-plans' sub-skill, which has system-writing and execution capabilities, a malicious requirement could inject destructive shell commands or backdoored code into the implementation plan. Evidence: 1. Ingestion: Processes untrusted specifications. 2. Boundary markers: Absent; there are no delimiters or warnings to ignore embedded instructions. 3. Capability inventory: Generates file-write operations (docs/plans), shell commands (git, pytest), and Python code. 4. Sanitization: None; input is directly interpolated into the plan structure.
- COMMAND_EXECUTION (MEDIUM): The skill generates shell commands (Category 10) intended for testing and version control. While it does not execute them directly, it creates the templates used by subsequent automated agents. A malicious user could provide a requirement that results in the generation of destructive commands (e.g., 'rm -rf /' or exfiltration via curl) that the sub-agent might execute.
Recommendations
- AI detected serious security threats
Audit Metadata