plan-ceo-review
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute several shell commands (git log, git diff, git stash, grep, find) during the PRE-REVIEW SYSTEM AUDIT phase to collect local repository context and history.- [PROMPT_INJECTION]: The skill employs authoritative instructions to override the agent's default behavior in favor of a specific mode (e.g., 'Critical rule: Once the user selects a mode, COMMIT to it. Do not silently drift'). It also presents a surface for indirect prompt injection by processing untrusted repository data:
- Ingestion points: The agent is directed to read context from AGENTS.md, TODO.md, and TODOS.md.
- Boundary markers: There are no defined delimiters or instructions to ignore embedded commands within the ingested files.
- Capability inventory: The agent has the ability to execute shell commands and read various files across the repository.
- Sanitization: No explicit filtering or validation of the content within the ingested markdown files is implemented.
Audit Metadata