executing-plans

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and executes instructions from external plan files.
  • Ingestion points: The skill reads implementation plan files from the workspace during the 'Load and Review Plan' phase (Step 1).
  • Boundary markers: There are no technical delimiters or sandboxing markers defined to separate plan content from agent instructions, though the skill mandates a manual 'critical review' by the agent.
  • Capability inventory: The skill possesses the ability to create tasks, execute shell-based verification commands, and interact with git via integrated writing tools.
  • Sanitization: The instructions do not include any automated validation, escaping, or filtering of the content retrieved from the plan files.
  • [COMMAND_EXECUTION]: The skill explicitly instructs the agent to execute shell commands for verification purposes based on the content of the implementation plan.
  • Evidence: Step 2, item 3 ('Run verifications as specified') and Step 3 ('Show verification output'). This capability can be abused if a malicious plan file specifies dangerous commands in the verification steps.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 05:55 PM
Security Audit — agent-trust-hub — executing-plans