create-plan
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted PRD files and source code to generate execution plans.
- Ingestion points: The agent reads PRD files and source code from the repository to extract requirements and technical context (SKILL.md, Step 1 and Step 3).
- Boundary markers: Absent. The skill lacks instructions to distinguish between the content of the PRD and the agent's internal instructions, and it explicitly encourages incorporating all details from the source documents.
- Capability inventory: The agent can read files, search the filesystem, write new markdown files, and is encouraged to execute terminal commands for research and validation.
- Sanitization: Absent. The skill does not validate or sanitize input content from the PRD before using it to generate the plan or perform research.
- [COMMAND_EXECUTION]: The skill involves identifying and documenting command-line operations (such as
curl,npm test, andprisma) as part of the execution plan and validation steps. This creates an attack surface where an agent might be influenced by a malicious PRD to include or execute unsafe commands during the research or plan-generation phases.
Audit Metadata