executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core logic of executing untrusted external instructions.
- Ingestion points: The skill reads external content via the 'Read plan file' instruction in
SKILL.md. - Boundary markers: Absent. There are no delimiters or instructions to help the agent distinguish between legitimate plan data and malicious embedded instructions.
- Capability inventory: The skill utilizes powerful capabilities including 'Execute Batch' (task execution) and 'Run verifications' (command execution), which are used to process the content of the untrusted plan.
- Sanitization: Absent. The instructions to 'Follow each step exactly' and 'Follow plan steps exactly' mandate the agent to ignore its own safety reasoning and blindly execute the steps provided in the plan file.
- COMMAND_EXECUTION (MEDIUM): While the skill contains no malicious commands itself, it provides a direct framework for executing arbitrary tasks defined externally. The 'Execute Batch' process creates a persistent execution surface where an attacker-controlled file can dictate system commands under the guise of development tasks.
Recommendations
- AI detected serious security threats
Audit Metadata