planner
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes external data (the project codebase) to drive its planning and execution workflows, creating a surface for indirect instructions.\n
- Ingestion points: Project files are read during the 'Exploration' and 'QR-Code' phases to gather context and verify proposed changes.\n
- Boundary markers: The skill utilizes structured XML templates (
explore-output-format.md) and JSON schemas (plan-json-schema.md) to delimit data, though these are not absolute security boundaries.\n - Capability inventory: The skill orchestrates code changes and executes local scripts (
planner.py,executor.py) which could be influenced by malicious content in the scanned codebase.\n - Sanitization: Multiple 'Quality Review' (QR) gates are implemented to validate plan structure, code correctness, and documentation, serving as a significant mitigation against unintended behavior.\n- Command Execution (SAFE): Activation commands in
SKILL.mdinvoke internal Python modules. No evidence of arbitrary or unsanitized shell command execution was found.\n- Data Exposure & Exfiltration (SAFE): No hardcoded credentials, sensitive system paths, or unauthorized network operations were detected. File access is restricted to the local working directory.
Audit Metadata