deep-plan
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill interpolates user-supplied data via the
$ARGUMENTSvariable, which is a potential vector for direct prompt injection if the user provides malicious instructions. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads content from
/tmp/deep-dive/{task-name}/research.mdand/tmp/deep-dive/{task-name}/innovate.mdwithout sanitization or boundary markers. - Ingestion points: Reads files from the
/tmp/deep-dive/directory in 'Phase 1: Context Review'. - Boundary markers: None. The content from the research and innovation files is processed without delimiters to separate it from the skill's system instructions.
- Capability inventory: The skill is permitted to read and write files (creating
/tmp/deep-dive/{task-name}/plan.md). It is explicitly forbidden from writing or modifying code, making commits, or running tests. - Sanitization: None. Content is interpolated directly into the context during planning.
Audit Metadata