GSD Planner
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its design of processing untrusted external data to create executable plans.
- Ingestion points: The agent reads from .gsd/SPEC.md, .gsd/ARCHITECTURE.md, and external research documents (RESEARCH.md) produced during discovery protocols.
- Boundary markers: Employs XML-like tags (e.g., , , ) to structure its output, which provides structural separation but does not prevent instruction override.
- Capability inventory: The resulting plans specify arbitrary file paths for modification () and shell commands for execution ().
- Sanitization: There is no evidence of filtering or validation for the commands or paths generated based on external inputs.
- [COMMAND_EXECUTION]: The task structure explicitly includes a field intended for shell commands such as npm test or curl. This capability allows for arbitrary command execution on the host system as part of the plan fulfillment process.
Audit Metadata