implement-plan
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to follow instructions from external markdown files (.turbo/plans/*.md). This architecture is susceptible to indirect prompt injection where an attacker-controlled plan file can dictate the agent's actions. * Ingestion points: Plan files in .turbo/plans/, .turbo/shells/, or .turbo/plan.md. * Boundary markers: Absent; the agent is instructed to read and execute the plan's steps and verification commands. * Capability inventory: Reading files, loading skills, and running commands via the /implement skill. * Sanitization: No validation or filtering is performed on the content of the plan files.
- [DATA_EXFILTRATION]: The skill reads every file path mentioned in various sections of the plan (Context Files, Pattern Survey, etc.). A malicious plan could include paths to sensitive data like SSH keys or environment variables to expose them.
- [COMMAND_EXECUTION]: The skill executes 'Verification' commands and 'Implementation Steps' directly from the plan file, allowing for the execution of arbitrary shell commands or tool invocations provided by the plan.
Audit Metadata