skills/majiayu000/spellbook/plan-flow/Gen Agent Trust Hub

plan-flow

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on executing local scripts (scripts/redundancy_scan.sh, scripts/findings_to_plan.py, scripts/plan_lint.py) to perform its primary function of code analysis. These scripts are invoked via subprocess.run without a shell, and arguments are derived from the local file system, which restricts the risk of command injection.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it extracts code snippets from a target repository and includes them in markdown plans which the agent is then instructed to execute.
  • Ingestion points: scripts/redundancy_scan.sh uses rg to capture lines from the codebase being analyzed, which are then processed and included in the evidence and title fields of the generated plans.
  • Boundary markers: The captured snippets are included in the plan's markdown tables and steps without explicit instructions or delimiters to prevent the AI from following commands embedded within the code snippets.
  • Capability inventory: The SKILL.md instructions authorize the agent to execute the plan steps, which involve modifying the filesystem and running shell commands (e.g., cargo test).
  • Sanitization: Content captured from the repository is rendered into the plan without sanitization or filtering to detect or remove natural language instructions designed to influence the agent's behavior.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 03:58 PM
Security Audit — agent-trust-hub — plan-flow