krypton-planning
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill implements a multi-step planning chain where user requests (feature requests, bugfixes) are used to generate implementation plans (PLAN.md, GOAL.md) that are subsequently interpreted by other agents. This structure presents an indirect prompt injection surface where a malicious user request could attempt to embed instructions that influence the downstream agent's behavior.\n
- Ingestion points: Untrusted user input enters the agent context via feature requests, bugfixes, or refactor descriptions defined in SKILL.md and agents/openai.yaml.\n
- Boundary markers: The skill uses markdown headers to structure output but lacks explicit delimiters (e.g., XML tags or code blocks) to isolate user-provided content from the generated plan instructions.\n
- Capability inventory: The skill performs file system writes to create planning documents and can dispatch a "read-only explorer" sub-agent for repository mapping.\n
- Sanitization: No sanitization, validation, or escaping of user input is specified before the content is interpolated into implementation plans.\n- [NO_CODE]: The skill is composed strictly of markdown templates and configuration files. It contains no executable scripts (Python, Node.js, Shell, etc.) or binaries, significantly reducing the direct attack surface.
Audit Metadata