plan-execute

Pass

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.
  • Ingestion points: Untrusted data enters the agent context via the $ARGUMENTS placeholder inside the <plan> tags in SKILL.md.
  • Boundary markers: The plan data is delimited by <plan> tags, which may help identify the data block but do not prevent the agent from obeying instructions embedded within that data.
  • Capability inventory: The skill utilizes several powerful subagents (fullstack-developer, tester, git-manager, project-manager) capable of file system modification, command execution, and git operations.
  • Sanitization: No explicit sanitization or validation of the $ARGUMENTS content is performed before processing.
  • [COMMAND_EXECUTION]: The skill orchestrates the execution of various commands and subagents to manage the software development lifecycle.
  • Evidence: Steps 3 and 6 involve calling the tester and git-manager subagents to execute tests and commit code. The --approval=off mode allows these potentially sensitive operations to proceed without manual user verification.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 5, 2026, 06:07 PM
Security Audit — agent-trust-hub — plan-execute