project-planner
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill relies on an orchestration pattern where AI agents execute shell commands derived from 'templates/tasks-template.json' and 'templates/implementation-plan-template.md'. This creates a high-severity Indirect Prompt Injection surface. If these files are populated with untrusted content, an attacker can execute arbitrary code.\n- Ingestion points: 'instruction' and 'verification' fields in 'tasks-template.json'.\n- Boundary markers: None present to separate system instructions from data-derived commands.\n- Capability inventory: Broad shell access for running 'bun', 'node', 'git', and other development tools.\n- Sanitization: No sanitization of command strings before execution.\n- [Command Execution] (MEDIUM): The skill defines a system for running various shell commands (e.g., 'bun run typecheck', 'bun test') and complex scripts ('node -e'). While intended for automation, the reliance on dynamic command strings from template files increases the overall risk.\n- [Dynamic Execution] (MEDIUM): 'tasks-template.json' contains logic for executing runtime-generated code (e.g., node scripts for coverage checking), which is a pattern that can be exploited if the inputs are not strictly controlled.
Recommendations
- AI detected serious security threats
Audit Metadata