run-plan
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits vulnerability to indirect prompt injection by ingesting data from external implementation plans and interpolating it into subagent instructions. Ingestion points: Reads plan documents from the file system (SKILL.md, Step 1). Boundary markers: Absent; the fixed validator template lacks XML-style delimiters or explicit instructions for the subagent to ignore embedded commands in the interpolated fields. Capability inventory: Spawns subagents with the Agent tool which have capabilities for file system modification and command execution. Sanitization: Absent; instructions specifically mandate copying fields verbatim from the plan.
- [COMMAND_EXECUTION]: The skill enables arbitrary command execution by instructing the validator subagent to run 'TEST_COMMANDS' directly from the ingested plan document. Although this is intended for verification, the lack of validation for these commands allows for the execution of malicious shell scripts if the plan source is compromised.
Audit Metadata