deepen-plan
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands (
ls,find,cat,head) to inspect the filesystem, targeting project directories and sensitive user-global paths such as~/.claude/. It accesses configuration files likeinstalled_plugins.jsonand scans plugin caches to find executable skills and agents. - [PROMPT_INJECTION]: The skill has a significant indirect prompt injection surface.
- Ingestion points: It reads content from
SKILL.mdfiles in project-local directories, user-global directories, and plugin caches, as well as the plan file provided in the arguments. - Boundary markers: None are present; the skill lacks delimiters or warnings to ignore malicious instructions embedded in the processed data.
- Capability inventory: The skill can execute shell commands (
ls,find, etc.), spawn numerous sub-agents with theTasktool, and write the resulting synthesized content back to files. - Sanitization: There is no evidence of sanitization or validation of the instructions found in the discovered markdown files before they are passed to sub-agents with the command to "follow the skill's instructions exactly."
- [COMMAND_EXECUTION]: The 'Post-Enhancement Options' include executing
git diff, which relies on the integrity of the file paths and environment to avoid command injection or unauthorized data access.
Audit Metadata