plan-verify
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The workflow explicitly directs the agent to 'Run gates' by extracting and executing commands from local files such as
.claude/commands/feature-workflow.mdor the 'Testing Procedures' section of plan documents. Since these files are often part of the repository being analyzed, an attacker could include malicious commands (e.g., data exfiltration or filesystem deletion) that the agent would then execute with user privileges. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8). 1. Ingestion points:
docs/codex-plans/<plan>.mdand.claude/commands/feature-workflow.md. 2. Boundary markers: None identified; the agent is told to follow the 'Acceptance criteria' and 'Testing Procedures' directly. 3. Capability inventory: Full shell command execution via the 'Run gates' step. 4. Sanitization: None; the skill lacks any validation or whitelisting of the commands it extracts from external files.
Recommendations
- AI detected serious security threats
Audit Metadata