skills/nesnilnehc/ai-cortex/plan-next/Gen Agent Trust Hub

plan-next

Warn

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: Potential for Unauthorized File Access through User-Supplied Paths. The skill accepts a variable parameter that allows the agent to read files from paths determined at runtime.
  • Evidence: The input_schema and Step 3.7 documentation specify an optional glossary_path override that allows the caller to define the location of the project dictionary.
  • Risk: If the execution environment does not enforce strict path restrictions, a malicious actor could provide paths to sensitive local system files (e.g., SSH keys, AWS credentials, or password files) causing the agent to ingest and potentially expose their content in its analysis output.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to ingest and interpret data from numerous project files to generate governance routing plans, which creates an avenue for data-driven influence over agent behavior.
  • Ingestion points: The skill logic in Steps 1 and 2 scans and reads content from files within docs/project-overview/, docs/process-management/, docs/requirements/, docs/tasks/, docs/architecture/adrs/, docs/designs/, and the hidden .ai-cortex/ directory.
  • Boundary markers: The skill does not define or use delimiters to encapsulate untrusted file content, nor does it instruct the agent to ignore potentially malicious instructions embedded within those files.
  • Capability inventory: The skill's output includes generating recommended slash commands for other skills and orchestrating complex governance workflows based on the scanned content.
  • Sanitization: There is no evidence of sanitization or structural validation for the natural language content extracted from the project documentation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 17, 2026, 04:28 AM
Security Audit — agent-trust-hub — plan-next