v-planning
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it actively researches external codebases and uses the results to synthesize plans.
- Ingestion points: The skill uses sub-agents like
codebase-locatorandcodebase-analyzerto ingest data from the current codebase and reads local data from~/.agentic-learnings.json(Rule 3). - Boundary markers: The instructions do not specify any delimiters or safety markers to differentiate between the agent's instructions and potentially malicious content found within the analyzed files.
- Capability inventory: The skill creates directories, writes multiple markdown files containing plan logic, spawns sub-agents, and utilizes vendor tools (
desplega:*). - Sanitization: No sanitization or validation of the content retrieved from the codebase is mentioned before it is interpolated into the generated plans.
- [COMMAND_EXECUTION]: The skill facilitates the creation of plans that include runnable shell commands (e.g.,
bun test,make lint) within the 'Success Criteria' sections of the generated files. - Evidence: Rule 6 explicitly instructs the agent to 'maximize Automated Verification... push everything into runnable commands'. These commands are later intended for execution by an orchestrator, creating a pathway for potentially harmful commands if the planning logic is manipulated by malicious input from the source codebase.
Audit Metadata