Skills
skills/anentrypoint/gm-skill/planning/Gen Agent Trust Hub

planning

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core orchestration logic. It reads execution flow instructions (such as nextSkill) from external JSON files (out/<N>.json) that may contain data derived from untrusted sources like code search results.
  • Ingestion points: Files located in .gm/exec-spool/out/*.json and out/<N>.json.
  • Boundary markers: None identified; the skill assumes the integrity of the JSON content.
  • Capability inventory: The skill has access to Skill, Read, and Write tools, allowing it to trigger other agents or modify the file system.
  • Sanitization: No validation or sanitization of the nextSkill variable or search result evidence is specified before usage.
  • [COMMAND_EXECUTION]: The skill implements a file-based spooling mechanism for executing specialized tools like recall and codesearch. While these tools appear internal, the design of writing commands to .gm/exec-spool/in/ to be processed by a host environment introduces a layer of abstraction that could be abused if the agent is persuaded to write arbitrary commands to those paths.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 10:31 AM
Security Audit — agent-trust-hub — planning