plan-execute
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.
- Ingestion points: Untrusted data enters the agent context via the
$ARGUMENTSplaceholder inside the<plan>tags inSKILL.md. - Boundary markers: The plan data is delimited by
<plan>tags, which may help identify the data block but do not prevent the agent from obeying instructions embedded within that data. - Capability inventory: The skill utilizes several powerful subagents (
fullstack-developer,tester,git-manager,project-manager) capable of file system modification, command execution, and git operations. - Sanitization: No explicit sanitization or validation of the
$ARGUMENTScontent is performed before processing. - [COMMAND_EXECUTION]: The skill orchestrates the execution of various commands and subagents to manage the software development lifecycle.
- Evidence: Steps 3 and 6 involve calling the
testerandgit-managersubagents to execute tests and commit code. The--approval=offmode allows these potentially sensitive operations to proceed without manual user verification.
Audit Metadata