plan-campaign
Pass
Audited by Gen Agent Trust Hub on Jul 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection due to its requirement to ingest and process data from external project artifacts.
- Ingestion points: Untrusted content enters the workflow through research files (e.g.,
research/icp-research.md) and initiative sketches (docs/forsvn/artifacts/meta/sketches/prioritize-*.md) which are read and interpolated into agent instructions. - Boundary markers: Absent; data from these files is included directly in sub-agent prompts without explicit delimiters or warnings to ignore embedded commands.
- Capability inventory: The skill's environment includes tools like
Bash,WebFetch, andWebSearch, which could be exploited if a sub-agent were successfully injected. - Sanitization: The skill does not perform automated sanitization or instruction filtering on the project artifacts it consumes.
- [COMMAND_EXECUTION]: The skill provides several TypeScript utility scripts (
scripts/) intended for local project maintenance and data synchronization. - Execution Mechanism: These scripts use
Bun.spawnSyncto coordinate local processes and standard Node.js libraries for file management. - Security Hygiene: The scripts implement robust checks for directory escaping and symlink manipulation, using
realpathSyncandlstatSync().isSymbolicLink()to ensure operations remain within the project's knowledge layer.
Audit Metadata