main
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill employs high-pressure override markers and absolute directives ("MUST invoke", "No exceptions", "No rationalizations", "") designed to bypass the agent's autonomous decision-making regarding tool use and task complexity.- [COMMAND_EXECUTION]: Instructions to execute a local shell script at '${CLAUDE_PLUGIN_ROOT}/scripts/init-planning-dir.sh' and 'git diff --stat' for environment setup and session recovery.- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by reading from untrusted local files and git metadata. (1) Ingestion points: '.planning/progress.md', '.planning/findings.md', and git commit/diff output. (2) Boundary markers: Absent; no delimiters are used to separate recovered context from system instructions. (3) Capability inventory: Executes shell scripts and repository-level git commands. (4) Sanitization: Absent; content from the files is read and interpreted directly to restore state.
Audit Metadata