planning
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill documentation describes a system for the agent to read and update task plans (e.g.,
PLAN.yml) using file system tools. This architecture is vulnerable to indirect prompt injection if the plan content comes from or is influenced by untrusted external data. - Ingestion points: Uses the
read_filetool to ingest plan data from the filesystem (e.g.,PLAN.yml). - Boundary markers: Absent. There are no instructions or delimiters defined to help the agent distinguish between data to be tracked and instructions to be followed.
- Capability inventory: Includes the
write_filetool, which grants the agent the ability to modify the local environment based on its interpretation of the plan. - Sanitization: No sanitization, schema validation, or content filtering is specified for the data processed by this skill.
Audit Metadata