interview-plan
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests and processes content from external requirement files. \n
- Ingestion points: Requirement documents specified in
$ARGUMENTSor the defaultplan.mdfile (referenced inSKILL.md). \n - Boundary markers: Absent; the skill does not wrap the file content in delimiters or provide instructions to the agent to ignore embedded commands within those files. \n
- Capability inventory: The skill utilizes
Bash,Write,EnterPlanMode, and can invoke theplanning-with-filesskill, providing a path for injected instructions to affect the filesystem or execution environment. \n - Sanitization: Absent; the content read from files is not validated or filtered before being integrated into the agent's context. \n- [COMMAND_EXECUTION]: The skill executes a local Node.js web server (
scripts/server.js) via a shell script to provide visual aids during the interview process. \n - The server implementation includes security best practices such as directory traversal protection (using
path.basename) and an automatic shutdown mechanism (30-minute idle timeout or parent process exit). \n - While the skill defaults to local binding (
127.0.0.1), thestart-server.shscript supports binding to all interfaces (0.0.0.0), which is documented as a risk inSKILL.mdand should only be used in specific environments.
Audit Metadata