plan-executor
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating untrusted data from external files into sub-agent instructions.
- Ingestion points: The skill reads task descriptions and acceptance criteria from a plan file (provided via $ARGUMENTS) and project context from CLAUDE.md.
- Boundary markers: While the templates use Markdown headers to separate sections, they lack explicit 'ignore embedded instructions' delimiters or warnings to prevent sub-agents from obeying commands hidden within the task data.
- Capability inventory: The skill and its sub-agents have access to high-privilege tools including Bash, Write, Edit, and Task.
- Sanitization: The orchestrator performs simple placeholder replacement without sanitizing or validating the content of the plan file or configuration files before injection.
- [COMMAND_EXECUTION]: The skill executes arbitrary shell commands defined as the 'test command' within the CLAUDE.md file.
- Evidence: The orchestrator uses the Bash tool to run the command stored in the TEST_COMMAND variable, which is extracted directly from the project's CLAUDE.md file. An attacker who can modify this file can execute arbitrary code in the agent's environment.
Audit Metadata