plan-hard
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes local utility scripts using Node.js and Python (e.g.,
.claude/scripts/set-active-plan.cjsand.claude/scripts/code_graph) to manage project state and perform dependency tracing. These calls are restricted to the project's internal directory structure and are integral to the skill's codebase analysis functionality. - [PROMPT_INJECTION]: The skill is designed to ingest and analyze potentially untrusted data from external sources and project files, creating a surface for indirect prompt injection.
- Ingestion points: Research results from
WebSearchandWebFetchtools, as well as arbitrary project code read viagrepor file-reading operations. - Boundary markers: Absent; the instructions do not specify the use of clear delimiters or isolation techniques when processing untrusted content.
- Capability inventory: The agent has the authority to create tasks (
TaskCreate), execute local scripts, and propose file modifications, though the latter is restricted by a 'PLANNING-ONLY' mandate. - Sanitization: Absent; the skill relies on the agent's internal reasoning and user confirmation rather than programmatic sanitization of external data.
Audit Metadata