plannotator-last
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
plannotator lastcommand using the Bash shell to initiate an annotation session. This is the intended behavior of the skill, and the command does not appear to dynamically incorporate unvalidated user input into its arguments. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting external feedback and instructing the agent to incorporate it into its logic.
- Ingestion points: Content returned from the
plannotator lastcommand execution inSKILL.mdis ingested into the agent's context. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat the returned annotations as untrusted data or to ignore any embedded instructions within that feedback.
- Capability inventory: The skill is capable of executing shell commands (
plannotator last) as defined inSKILL.md. - Sanitization: No sanitization or filtering is performed on the tool's output before it is interpolated into the follow-up response logic.
Audit Metadata