Skills
skills/microsoft/hve-core/rai-planner/Gen Agent Trust Hub

rai-planner

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • Dynamic Command Assembly: The skill suggests executing an artifact signing script that incorporates a project identifier variable.
  • Evidence: npm run rai:sign -- -ProjectSlug {slug} in references/backlog-handoff.md.
  • The use of the {slug} placeholder within a shell command introduces a potential area for argument injection. If the project identifier is sourced from untrusted or unvalidated input, it could allow for execution of unintended command arguments. This is part of the functional signing workflow for the planner.
  • Indirect Prompt Injection Surface: The skill processes session-specific data to generate artifact tables and local file links.
  • Ingestion points: The {slug} variable is ingested from session state in references/backlog-handoff.md.
  • Boundary markers: There are no explicit delimiters or instruction-ignore blocks around the interpolated {slug} variable.
  • Capability inventory: The skill utilizes subprocess execution via npm and generates relative file paths based on session data.
  • Sanitization: The instructions do not specify validation or escaping procedures for the project-specific variables before they are interpolated into the artifact table or the command line.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 09:31 AM
Security Audit — agent-trust-hub — rai-planner