deepen-plan
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell utilities including
find,sed,grep,cut, andxargsto discover files and extract metadata from the local filesystem. Specifically, it executes these commands over~/.claudesubdirectories to build a registry of available tools. - [COMMAND_EXECUTION]: The skill incorporates user-supplied input through the
$ARGUMENTSvariable to define the<plan_path>. If this variable is not properly sanitized before being used in filesystem operations or shell commands, it could lead to command injection. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted data from project files.
- Ingestion points: The skill reads
spec.md,prd.json, andbrainstorm.mdfrom the provided plan folder. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate embedded instructions within the processed files.
- Capability inventory: The skill has the capability to execute shell commands, write updates to the local filesystem (updating
spec.mdandprd.json), and invoke other agents based on the content of the ingested files. - Sanitization: No sanitization or validation of the input text from the plan files is performed before it is used to match skills or influence agent behavior.
Audit Metadata