plan-flow
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing local scripts (
scripts/redundancy_scan.sh,scripts/findings_to_plan.py,scripts/plan_lint.py) to perform its primary function of code analysis. These scripts are invoked viasubprocess.runwithout a shell, and arguments are derived from the local file system, which restricts the risk of command injection. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it extracts code snippets from a target repository and includes them in markdown plans which the agent is then instructed to execute.
- Ingestion points:
scripts/redundancy_scan.shusesrgto capture lines from the codebase being analyzed, which are then processed and included in theevidenceandtitlefields of the generated plans. - Boundary markers: The captured snippets are included in the plan's markdown tables and steps without explicit instructions or delimiters to prevent the AI from following commands embedded within the code snippets.
- Capability inventory: The
SKILL.mdinstructions authorize the agent to execute the plan steps, which involve modifying the filesystem and running shell commands (e.g.,cargo test). - Sanitization: Content captured from the repository is rendered into the plan without sanitization or filtering to detect or remove natural language instructions designed to influence the agent's behavior.
Audit Metadata