writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted external input (specifications/requirements) to generate structured implementation plans that include executable content.
- Ingestion Point: The skill ingests a 'spec or requirements' for a multi-step task.
- Boundary Markers: Absent. There are no instructions or delimiters to prevent the agent from following instructions embedded within the user-provided spec.
- Capability Inventory: The skill writes files to the local filesystem (
docs/plans/) and explicitly hands off execution to high-privilege skills likesuperpowers:executing-plansandsuperpowers:subagent-driven-development. - Sanitization: Absent. The skill does not validate or sanitize the requirements before interpolating them into shell commands (
pytest,git commit) or Python code blocks. - Command Execution (MEDIUM): The skill instructs the agent to generate and potentially execute shell commands. While the commands (e.g.,
pytest,git) are standard, the parameters and file paths are derived from untrusted input, which could lead to command injection if the input is crafted to include shell metacharacters. - Dynamic Execution (MEDIUM): The skill involves the dynamic generation of Python test cases and implementation code based on the provided spec. This code is intended to be executed by downstream subagents or execution tools, creating a path for arbitrary code execution if the generation process is subverted.
Recommendations
- AI detected serious security threats
Audit Metadata