planning-agent
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes untrusted external data.
- Ingestion points: The agent reads content from parent issue titles, descriptions, and acceptance criteria, as well as user-provided architecture or design documents.
- Boundary markers: While it utilizes structured handoff tags () for its internal execution trace, there are no explicit delimiters or safety instructions provided to the agent to ignore potentially malicious commands embedded within the external ticket data.
- Capability inventory: The skill is granted access to issue tracker tools via MCP (for subtask creation, tagging, and commenting) and local file search tools like grep and ripgrep. It does not have the ability to edit files, create commits, or perform network requests.
- Sanitization: The instructions do not specify any validation, filtering, or escaping mechanisms for the data ingested from tickets or user documents before it is processed.
Audit Metadata