interop
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection because it ingests data from external plan files and uses it to drive agent actions.
- Ingestion points: The skill reads the content of the file specified in the $ARGUMENTS variable and extracts fields like Title, Goal, and Spec (SKILL.md, Step 1 and 2).
- Boundary markers: No delimiters or specific instructions (e.g., 'ignore embedded commands') are used when parsing or passing the extracted data.
- Capability inventory: The skill possesses significant capabilities, including the ability to write to the local filesystem using the Edit tool, add items to a backlog via the mcp__plugin_dh_backlog__backlog_add tool, and execute other AI agent skills via the Skill tool (SKILL.md, Step 3, 4, 6, 7).
- Sanitization: There is no evidence of sanitization or validation of the content extracted from the plan file before it is utilized in tool calls or skill delegations.
Audit Metadata