create-plan
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use shell commands such as
mvto move files from a temporary directory (_/) to protected or sensitive directories (specifically.claude/). This technique is explicitly described as a method to bypass authentication prompts or user confirmation requirements that would otherwise occur when writing directly to those locations. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) because it reads untrusted content from the local codebase to inform its planning process without implementing sanitization or boundary markers.
- Ingestion points: Existing codebase files and structures retrieved through exploration tools like
Explore Agent,Glob, orGrep(as described in SKILL.md). - Boundary markers: There are no instructions or delimiters provided to ensure the agent ignores malicious instructions that might be embedded in the codebase files it reads.
- Capability inventory: The skill possesses file system modification capabilities (writing to
_/local-plans/, moving files withmv, and deleting directories withrmdir) alongside codebase exploration tools. - Sanitization: No validation, escaping, or filtering of the ingested codebase content is specified before the data is used to generate implementation plans.
Audit Metadata