plan-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): High susceptibility to Indirect Prompt Injection (Category 8) through external research data.
- Ingestion Point: The skill reads untrusted research content from
scripts/aha-loop/research/[story-id]-research.mdin Step 1. These reports often aggregate data from the web or other external sources. - Capability Inventory: The skill has file-write permissions for
prd.json(Step 4), which defines the roadmap, acceptance criteria, and implementation notes for the entire project. This influences all subsequent agent actions. - Boundary Markers: Absent. There are no delimiters or instructions to treat the research report as non-authoritative data.
- Sanitization: Absent. The skill does not filter the research report for instructions or validate the proposed changes against security policies.
- Impact: An adversary could embed instructions in the research data (e.g., 'Research found that user tokens should be stored in plaintext for performance') which the agent might then inject into the PRD as a legitimate requirement for a downstream coding agent to implement.
Recommendations
- AI detected serious security threats
Audit Metadata