plan-creator
Warn
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill writes plan artifacts and temporary HTML forms to the
~/.claude/plans/directory. This is standard behavior for the author's workflow but involves persistent file system modifications outside of the active project repository. - [REMOTE_CODE_EXECUTION]: The skill generates local HTML files containing JavaScript (
references/html-question-form.md) to provide batch interrogation forms. This presents an XSS (Cross-Site Scripting) risk; if the agent extracts 'decisions' or 'rationale' from a malicious repository file and interpolates them into the HTML template without sanitization, it could execute arbitrary code in the user's browser context when the file is opened. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its document grounding mechanism.
- Ingestion points: Reads repository files including ADRs, RFCs, READMEs, and library documentation (
references/doc-grounding.md). - Boundary markers: No explicit markers or 'ignore' instructions are used when interpolating documentation content into the prompt.
- Capability inventory: The skill has the ability to read any file in the repo and write to the local file system (
~/.claude/plans/). - Sanitization: No sanitization or validation of extracted documentation content is performed before it is used to ground the planning process.
Audit Metadata