Plan Review

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted plan files and interpolates the raw content directly into subagent prompts.
  • Ingestion points: User-provided plan files (via path/to/your-plan.md) are read and passed to subagents in the agent-prompt.md workflow.
  • Boundary markers: The skill uses simple text labels (e.g., Plan: [PLAN_CONTENT]) to demarcate untrusted data, which lacks the robust isolation of XML delimiters or 'ignore' instructions needed to prevent an adversary from overriding the subagent's logic.
  • Capability inventory: The subagent is explicitly instructed that it has access to a wide range of powerful tools, including Bash, Write, Edit, Task, and AskUserQuestion.
  • Sanitization: The instructions do not define any sanitization, escaping, or validation steps for the plan content before it is interpolated into the executable prompt context.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 02:39 AM
Security Audit — agent-trust-hub — Plan Review