plan-campaign

Pass

Audited by Gen Agent Trust Hub on Jul 4, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection due to its requirement to ingest and process data from external project artifacts.
  • Ingestion points: Untrusted content enters the workflow through research files (e.g., research/icp-research.md) and initiative sketches (docs/forsvn/artifacts/meta/sketches/prioritize-*.md) which are read and interpolated into agent instructions.
  • Boundary markers: Absent; data from these files is included directly in sub-agent prompts without explicit delimiters or warnings to ignore embedded commands.
  • Capability inventory: The skill's environment includes tools like Bash, WebFetch, and WebSearch, which could be exploited if a sub-agent were successfully injected.
  • Sanitization: The skill does not perform automated sanitization or instruction filtering on the project artifacts it consumes.
  • [COMMAND_EXECUTION]: The skill provides several TypeScript utility scripts (scripts/) intended for local project maintenance and data synchronization.
  • Execution Mechanism: These scripts use Bun.spawnSync to coordinate local processes and standard Node.js libraries for file management.
  • Security Hygiene: The scripts implement robust checks for directory escaping and symlink manipulation, using realpathSync and lstatSync().isSymbolicLink() to ensure operations remain within the project's knowledge layer.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 4, 2026, 10:17 PM
Security Audit — agent-trust-hub — plan-campaign