phase-running
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes automated verification commands and CLI test steps extracted directly from the "Success Criteria" and "QA Spec" sections of an input plan file.
- [COMMAND_EXECUTION]: A PostToolUse hook is configured to execute a vendor-provided Python script located at
${CLAUDE_PLUGIN_ROOT}/hooks/plan_checkbox_reminder.py. - [PROMPT_INJECTION]: The skill is explicitly instructed to operate without human-in-the-loop oversight, suppressing user interaction via directives such as "do NOT interact with the user" and "do NOT use AskUserQuestion".
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon instructions (shell commands) contained within plan files.
- Ingestion points: Plan file content read from disk during Step 1.
- Boundary markers: None present; the agent treats extracted plan content as authoritative instructions.
- Capability inventory: File system modification and arbitrary command execution via subprocesses.
- Sanitization: No validation or escaping of commands is performed prior to execution.
- [REMOTE_CODE_EXECUTION]: The execution of arbitrary strings from a plan file constitutes a code execution vector if the plan is provided by an untrusted source or modified by an attacker (e.g., in a shared development environment).
Audit Metadata