gen-plan
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill is susceptible to Indirect Prompt Injection through the iterative reading of plan files.
- Ingestion points: The skill reads the full contents of
plan-N.mdfiles from the repository root to use as context for the next iteration. - Boundary markers: Absent. The content from the plan file is inserted directly into the prompt template at the
<INCLUDE CONTENTS OF PLAN FILE>placeholder without any delimiters or 'ignore embedded instructions' warnings. - Capability inventory: The skill has the capability to write new files (
plan-(N+1).md) to the repository root and influence the agent's reasoning for subsequent steps. - Sanitization: Absent. There is no validation or escaping of the plan contents before they are interpolated into the instructions.
- Risk: An attacker could inject malicious instructions into a
plan-N.mdfile that, when read by the skill, could cause the agent to deviate from its intended behavior or write unauthorized content into the next plan iteration. - COMMAND_EXECUTION (SAFE): The skill includes explicit safeguards and a strict contract that prohibits writing files outside the repository root and prevents overwriting existing files, which effectively limits the blast radius of potential exploits.
Audit Metadata