plan-harder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (SAFE): The skill ingests untrusted data from the local codebase and user inputs during its research and clarification phases. This creates a theoretical surface for indirect prompt injection where malicious comments in the code could influence the plan's contents. However, the risk is negligible as the skill is explicitly restricted to planning and documentation and does not have the capability to execute the generated plans.
- Ingestion points: File 'SKILL.md' (Phase 0 and Phase 1) describes reading the codebase and processing user requests.
- Boundary markers: Absent; the skill does not use specific delimiters to wrap external data, relying instead on its internal logical flow.
- Capability inventory: Subprocess calls: None; Exec/Eval: None; File-write: Phase 3 'Save' (writes to a local .md file); Network ops: None.
- Sanitization: No explicit sanitization or escaping of codebase content is described before generating the plan.
- [Data Exposure & Exfiltration] (SAFE): The skill's research phase is confined to investigating architectural patterns and existing implementation logic. There are no patterns suggesting attempts to access sensitive file paths (like ~/.ssh or .env) or to exfiltrate data via network tools like curl or wget.
- [Unverifiable Dependencies & Remote Code Execution] (SAFE): No external packages are installed, and no remote scripts are downloaded or executed. The skill purely operates as a text-based planner.
Audit Metadata