planning
Warn
Audited by Gen Agent Trust Hub on Jun 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a verification protocol in 'claim-verification.md' that instructs the agent to execute various shell commands, including 'grep', 'find', 'git', 'npm test', and 'curl'. These commands are dynamically constructed based on hypotheses derived from implementation plans and documentation, which could be exploited for command injection if malicious strings are present in those sources. Additionally, the 'html-question-form.md' file allows the agent to generate a local HTML file containing JavaScript for user interaction.
- [DATA_EXFILTRATION]: The verification workflow allows for network operations using 'curl'. Because the agent reads sensitive local data (code, docs, environment details) and then performs these network checks, there is a risk that a malicious plan or input could prompt the agent to transmit sensitive information to an external endpoint.
- [PROMPT_INJECTION]: The skill processes untrusted data from multiple sources including user input, codebase files, and external documentation (RFCs, ADRs). It lacks explicit sanitization or strict boundary markers when these external instructions are interpolated into the agent's reasoning process.
- Ingestion points: Codebase files and documentation identified during Step 1 (Understand intent).
- Boundary markers: The skill does not define specific delimiters or 'ignore' instructions for external content.
- Capability inventory: The agent can read files, write to '~/.claude/plans/', and execute shell commands via the verification protocol.
- Sanitization: No explicit validation or escaping of external content is performed before interpolation into prompts.
Audit Metadata