st-refine-plan
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute project-specific lifecycle hooks located at
<root>/config/hooks/PRE_PLAN.mdand<root>/config/hooks/POST_PLAN.md. This results in the agent performing actions or following instructions defined within the user's own repository files. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and acts upon instructions from untrusted project files (configuration, templates, and plan documents) without sufficient sanitization or boundary markers.
- Ingestion points: Reads project-level files including
config/STRIKETHROO.md,config/hooks/PRE_PLAN.md,config/templates/PLAN_TEMPLATE.md, and plan markdown files. - Boundary markers: None. The instructions do not use delimiters or specific warnings to ignore embedded commands within the ingested data.
- Capability inventory: The skill has the ability to read and write files and execute shell scripts (via the provided .cjs helpers), and it is prompted to follow instructions found in markdown files which could lead to arbitrary task execution.
- Sanitization: The skill does not validate or sanitize the contents of the project files before acting on the instructions they contain.
Audit Metadata