executing-plans
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to parse a 'verifyCommand' from a JSON metadata block inside a task description or a '.tasks.json' file and execute it. This allows for arbitrary shell command execution based on the contents of external data files.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data from plan files and task manifests without sanitization.
- Ingestion points: Plan files (Step 1) and '.tasks.json' (Step 0) are read from the workspace.
- Boundary markers: Absent; the skill parses task headers and code blocks without using delimiters or instructions to ignore nested prompt content.
- Capability inventory: The skill allows for file writes ('.tasks.json'), git worktree management, and direct shell command execution ('verifyCommand').
- Sanitization: No escaping, validation, or filtering is applied to the commands or metadata extracted from the plan files before they are processed by the agent.
Audit Metadata