executing-plans
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to load and follow instructions from a 'plan file'. This ingestion point creates a surface for indirect prompt injection where a malicious plan could influence agent behavior.
- Ingestion points: Plan file (Step 1: Load and Review Plan).
- Boundary markers: Absent; the instructions do not specify the use of delimiters or 'ignore' warnings for the plan content.
- Capability inventory: Task execution via TaskCreate, verification runs, and use of the 'finishing-branch' sub-skill.
- Sanitization: Absent; the skill relies on the agent's critical review rather than programmatic sanitization.
- [Data Exposure & Exfiltration] (SAFE): The skill records progress and discoveries in the local
.planning/directory. It does not access sensitive system paths (~/.ssh, etc.) or perform network requests. - [Command Execution] (SAFE): No explicit shell commands or system calls are defined within the skill file itself.
- [No Code] (SAFE): The skill contains only markdown instructions and no executable scripts or binaries.
Audit Metadata