executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core function is to read a plan file and execute its contents, which presents a significant attack surface for indirect prompt injection.
- Ingestion points: Step 1 requires the agent to "Read plan file" from the file system.
- Boundary markers: Absent. The instructions do not include any delimiters or warnings to ignore embedded instructions within the plan file.
- Capability inventory: The skill possesses high-privilege capabilities including task execution, batch processing, and the use of sub-skills for completing development branches (which often involves code modification and repository interaction).
- Sanitization: Absent. The instruction "Follow each step exactly" explicitly commands the agent to obey the plan's contents without sanitizing or questioning the logic for security implications.
- Evidence: The "Core principle" of batch execution combined with the requirement to "Follow each step exactly" ensures that any malicious instruction embedded in a plan file would likely be executed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata