Skills
skills/smith-horn/plan-review-skill/Plan Review/Gen Agent Trust Hub

Plan Review

Pass

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its document processing workflow.
  • Ingestion points: The skill reads user-supplied plan files, design documents, and architecture proposals as specified in SKILL.md and agent-prompt.md.
  • Boundary markers: The prompt templates for VP subagents in agent-prompt.md use basic [PLAN_CONTENT] placeholders and do not include instructions for the model to ignore or sanitize commands embedded within the plan text.
  • Capability inventory: The coordinating subagent is explicitly granted access to high-impact tools including Write, Edit, Bash, and Task.
  • Sanitization: No sanitization, validation, or filtering of ingested plan content is performed before it is passed to the subagent logic.
  • [COMMAND_EXECUTION]: The subagent defined in agent-prompt.md is provided with the Bash tool. While the primary workflow focuses on analysis and file editing, the availability of a shell interface increases the potential impact of a successful indirect prompt injection attack.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 8, 2026, 05:23 AM