executing-plans
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core workflow of processing external, potentially untrusted markdown files.
- Ingestion points: The agent reads task definitions from
.agents/TASKS/and linked requirements from.agents/PRDS/. - Boundary markers: There are no explicit delimiters or instructions provided in the task template to prevent the agent from following instructions embedded within the processed files.
- Capability inventory: The skill allows the agent to modify code, commit changes, and trigger other skills like
qa-reviewer, which could be exploited if malicious instructions are followed. - Sanitization: No sanitization or validation logic is defined for the content of the task or PRD files before they are interpreted by the agent.
Audit Metadata