review-work
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is instructed to extract and run shell commands from an external file. In Phase 3 (Test Execution), the instructions state to 'Run all individual test commands specified in the plan' and 'Run the full test suite'. This allows for arbitrary command execution on the host system based on the contents of the plan document.
- [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection (Category 8) as it processes untrusted data that influences agent behavior.
- Ingestion points: The skill reads the plan document directly from disk at
docs/engineering-discipline/plans/YYYY-MM-DD-<feature-name>.md. - Boundary markers: There are no mentioned delimiters or boundary markers to separate the plan's data from instructions, increasing the risk that the agent may follow instructions embedded within the plan itself.
- Capability inventory: The skill has the capability to execute shell commands (Phase 3), perform file system inspection (Phase 2), and execute git commands (Phase 4).
- Sanitization: The skill lacks any explicit sanitization, validation, or escaping of the commands or content extracted from the plan document before they are processed or executed.
Audit Metadata