executing-plans
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because its core functionality relies on reading and executing instructions from external, potentially untrusted markdown files.
- Ingestion points: The agent is instructed to read task definitions from
.agents/TASKS/and project requirements from.agents/PRDS/. - Boundary markers: No explicit delimiters or instructions are provided to help the agent distinguish between trusted instructions and data from external files.
- Capability inventory: The agent has the capability to perform filesystem modifications (feature implementation) and Git operations (branching and committing) based on the ingested content.
- Sanitization: There is no defined process for sanitizing or validating the content of the markdown files before processing.
Audit Metadata