planning-with-files
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill's core workflow involves gathering information from external research and storing it in a persistent markdown file ('notes.md'). The agent is then instructed to re-read these notes to guide its execution. This process creates a surface for indirect prompt injection, where malicious instructions hidden in external content could influence the agent's actions during the execution phase.
- Ingestion points: The agent reads from 'notes.md' (Phase 2, 3) and 'task_plan.md' (all phases) to ground its work.
- Boundary markers: The template lacks explicit markers or instructions to treat external research findings as untrusted data or to ignore embedded instructions within them.
- Capability inventory: The skill has access to file manipulation tools ('Write', 'Edit') and shell execution ('Bash'), which increases the potential impact of a successful injection.
- Sanitization: There is no requirement for the agent to sanitize, validate, or escape content retrieved from external sources before storing it in the persistent memory files.
Audit Metadata