ak-plan
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes several CLI tools including
git,gh(GitHub CLI), andak(Agent-Kanban CLI) for project scaffolding, repository management, and task orchestration. These tools are used within their intended scope for project automation. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface (Category 8) because it ingests and processes data from external, potentially untrusted sources to make autonomous decisions such as merging code or creating tasks.
- Ingestion points: The agent reads external content from repository files (e.g.,
CONTRIBUTING.md,README.md, codebase architecture), git history, and worker-submitted data such as pull request descriptions and task notes. - Boundary markers: There are no specified boundary markers or 'ignore' instructions implemented when the agent reads and interprets documentation or project files from the file system.
- Capability inventory: The skill has high-privilege capabilities including merging code to the main branch (
gh pr merge), creating and configuring new agents (ak apply), and defining task specifications that other agents will execute. - Sanitization: The instructions do not define sanitization or validation logic for the content read from external files or worker agent communications before it is processed by the leader agent.
Audit Metadata