plan-runner
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes git commands (
git status,git add,git commit,git diff) to manage the implementation workflow. It extracts aPLAN_SLUGidentifier from the plan's filename and interpolates it into commit messages. This pattern poses a potential command injection risk if the filename contains shell metacharacters and the execution environment does not properly escape arguments. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface (Category 8) because it reads and processes instructions from an external markdown plan file which are then passed to subagents.
- Ingestion points: The markdown plan file (e.g.,
.md) is read to extract wave-grouped tasks. - Boundary markers: The instructions do not specify the use of delimiters or 'ignore' instructions when passing extracted plan content to subagents.
- Capability inventory: The skill can execute shell commands (git) and spawn subagents that have read/write access to the codebase.
- Sanitization: The skill does not describe any validation or sanitization of the content read from the plan file before it is utilized in the workflow.
Audit Metadata