ce-plan
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill includes a feature to share project plans with an external domain (www.proofeditor.ai). This sends the entire plan document, which may include internal architecture details and research results, to an external third-party service.\n- [COMMAND_EXECUTION]: Shell commands for creating issues via GitHub (gh) and Linear CLIs use titles and descriptions sourced from user input and internal documents. These inputs are not fully sanitized before being passed as command-line arguments.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes external files (docs/brainstorms/*.md) and user-provided descriptions, using this content to influence subsequent automated agent tasks and shell executions without robust input validation or isolation.\n
- Ingestion points: Processes feature descriptions from user arguments and reads all files within docs/brainstorms/.\n
- Boundary markers: Lacks robust boundary markers or safety instructions when processing internal brainstorm files.\n
- Capability inventory: Possesses capabilities for file system writes, shell command execution (ls, mkdir, cat, gh, linear), and network operations (curl).\n
- Sanitization: Uses jq for JSON construction in the share feature but lacks sanitization for shell command interpolation.
Audit Metadata