plan-review-cdx
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads implementation plans from the user context or local files and provides this untrusted content to reviewer subagents. A malicious plan could include instructions intended to bypass the review logic or force specific "corrections."
- Ingestion points: The active plan context or file paths provided as arguments in
SKILL.md(Step 0). - Boundary markers: Uses markdown delimiters and horizontal rules to separate reviews, but lacks explicit instructions for subagents to ignore instructions embedded within the ingested plan content.
- Capability inventory: The agent has file-write permissions to modify the plan, can spawn subagents, and can execute shell commands (
cp,rm). - Sanitization: No sanitization or validation of the plan content is performed before it is processed by the agents.
- [COMMAND_EXECUTION]: The skill employs shell commands (
cp,rm) for managing plan snapshots and cleaning up temporary files in/tmp/. While these are used for standard workflow state management, they process paths associated with the user-provided plan file.
Audit Metadata