plan-gh
Warn
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a shell command using
uv runwhere the query parameter is derived directly from user-supplied$ARGUMENTS. If$ARGUMENTScontains shell metacharacters (e.g.,;,&&,|) or unescaped quotes, it could lead to arbitrary command execution on the host system. - Evidence:
uv run "{{HOME_TOOL_DIR}}/skills/recall/scripts/recall.py" "<QUERY>" --limit 5 --format markdownwhere<QUERY>is constructed from$ARGUMENTS. - [INDIRECT_PROMPT_INJECTION]: The skill processes an external, potentially untrusted specification file to generate development plans, GitHub issues, and implementation prompts. This creates a surface where malicious instructions embedded in the specification could influence the agent's output or actions.
- Ingestion points: Step 1 involves reading a specification file (e.g.,
spec.md) specified in$ARGUMENTS. - Boundary markers: None present; the agent is not instructed to ignore instructions inside the specification file.
- Capability inventory: The skill has the ability to write files (
development-plan.md), create GitHub issues (gh issue create), and execute shell commands (uv run). - Sanitization: No sanitization or validation of the specification content is mentioned.
Audit Metadata