writing-plans
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a multi-agent verification workflow where sub-agents are dispatched to read and verify implementation plans. This creates a surface for indirect prompt injection.\n
- Ingestion points: The implementation plan is generated from user-provided specifications and requirements, then saved to disk (docs/plans/). Verification agents subsequently read these files.\n
- Boundary markers: The prompt templates for verification sub-agents in references/verification-dispatch.md instruct the agent to read the plan file but do not use clear boundary delimiters (like XML tags) or 'ignore embedded instructions' warnings to isolate the plan content.\n
- Capability inventory: The system uses a Task dispatch mechanism for sub-agents and grants them the ability to edit plan files.\n
- Sanitization: There is no evidence of sanitization or validation of the user-influenced plan content before it is processed by the sub-agents.\n- [COMMAND_EXECUTION]: The skill's workflow (execution-handoff.md) explicitly requires the agent to execute CLI commands including git, pytest, npm test, and a custom toolset named bd (e.g., bd ready, bd graph). It also utilizes a tool called plan2beads for task conversion. These are integrated into the primary function of the skill for software development automation.
Audit Metadata