writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill takes 'specs or requirements' as input to create plans (SKILL.md).
- Boundary markers: There are no markers or delimiters defined to isolate untrusted requirements from the planning logic.
- Capability inventory: The resulting plans include shell commands (
git,pytest) and Python code, which are then handed off to powerful sub-skills likesuperpowers:executing-plansfor execution. - Sanitization: No validation or sanitization is performed on the input specs before they are used to generate commands.
- [Command Execution] (MEDIUM): The skill generates shell commands dynamically based on the input specifications. While the intended commands (
git,pytest) are standard, the lack of input sanitization allows for potential command injection if a requirement is crafted to include shell metacharacters (e.g.,;,&&,|). - [Dynamic Execution] (MEDIUM): The skill implements a 'Script generation + execution' pattern. It writes Python code and shell scripts based on external templates, which are then executed by a different agent session or subagent. This decouples the generation from the execution, potentially bypassing some real-time monitoring.
Recommendations
- AI detected serious security threats
Audit Metadata