implementation-planning
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it interpolates untrusted user-provided content into instructions for autonomous sub-agents.\n
- Ingestion points: Input from technical tickets, 'shaped work' documents, or technical challenges are directly interpolated into templates for the
Exploresub-agents withinSKILL.md.\n - Boundary markers: The prompts (e.g., 'Find all files related to [feature/domain]') do not use delimiters or negative constraints to isolate the untrusted input from the agent's core instructions.\n
- Capability inventory: The sub-agents can map directory structures, read file contents, and trace data flows across the codebase. The primary agent has the capability to write persistent files to the
thoughts/plans/directory.\n - Sanitization: There is no evidence of sanitization, escaping, or validation of the user-provided ticket content before it is used to drive agent behavior.
Audit Metadata