Skills
skills/borkweb/skills/plan-deep-review/Gen Agent Trust Hub

plan-deep-review

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill leverages the Bash tool to execute standard development commands such as git log, git diff, and gh. These operations are limited to gathering repository context and are aligned with the skill's intended purpose.
  • [PROMPT_INJECTION]: The skill processes untrusted external data by reading project files like CLAUDE.md, TODOS.md, and git history. This creates an indirect prompt injection attack surface (Category 8).
  • Ingestion points: Reads local files (CLAUDE.md, TODOS.md, architecture docs) and shell command outputs (git log, grep).
  • Boundary markers: The instructions do not define explicit boundary markers or directives to ignore instructions embedded within the data being reviewed.
  • Capability inventory: The agent has access to Bash and WebSearch tools, which could potentially be abused if an injection is successful.
  • Sanitization: There is no evidence of sanitization or filtering of the content read from external files.
  • Mitigation: The skill enforces a human-in-the-loop approach using AskUserQuestion and a structured review pacing, which acts as a safeguard against autonomous malicious actions.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 06:02 AM
Security Audit — agent-trust-hub — plan-deep-review