plans
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to construct shell commands using the
Bashtool that incorporate unsanitized user input. Placeholders such asNAME,TASK_NUM, andreasonare used directly in commands likepython3 ~/.claude/scripts/plan-manager.py create NAMEandpython3 ~/.claude/scripts/plan-manager.py abandon NAME --reason "reason". Without explicit instructions to sanitize or escape these variables, a malicious user could provide input containing shell metacharacters (e.g., semicolons, pipes, or backticks) to execute arbitrary commands on the host system.\n- [REMOTE_CODE_EXECUTION]: The skill has a hard dependency on an external, unverifiable script located at~/.claude/scripts/plan-manager.py. All management operations flow through this script, which is not provided in the skill package, making its behavior impossible to audit for security vulnerabilities or malicious intent.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted user data and using it to drive powerful capabilities. \n - Ingestion points: User-supplied values for
NAME,TASK_NUM, andreasonwithinSKILL.md.\n - Boundary markers: None (the skill lacks delimiters or instructions to ignore instructions embedded in the user-provided data).\n
- Capability inventory: Execution of shell commands via the
Bashtool.\n - Sanitization: None (there is no logic to validate or clean the input before it is used in a shell context).
Audit Metadata