review-plan
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its primary function is to read and analyze implementation plans, which are external, untrusted data sources.
- Ingestion points: The skill reads the entirety of the plan to be reviewed in Step 1 within
SKILL.md. - Boundary markers: The instructions do not define or require specific delimiters or boundary markers (such as XML tags or unique string wrappers) to isolate the untrusted plan content from the agent's instructions, increasing the risk that instructions embedded in the plan could be followed.
- Capability inventory: The skill has the capability to spawn and delegate tasks to multiple sub-agent sessions using the
delegate_tasktool. While the instructions explicitly command these sub-agents to be read-only and avoid implementing code, an adversarial plan could attempt to override these constraints via prompt injection. - Sanitization: No evidence of input validation, filtering, or escaping of the plan content is present before it is passed to sub-agents.
Audit Metadata