Plan Review
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted plan files and interpolates the raw content directly into subagent prompts.
- Ingestion points: User-provided plan files (via
path/to/your-plan.md) are read and passed to subagents in theagent-prompt.mdworkflow. - Boundary markers: The skill uses simple text labels (e.g.,
Plan: [PLAN_CONTENT]) to demarcate untrusted data, which lacks the robust isolation of XML delimiters or 'ignore' instructions needed to prevent an adversary from overriding the subagent's logic. - Capability inventory: The subagent is explicitly instructed that it has access to a wide range of powerful tools, including
Bash,Write,Edit,Task, andAskUserQuestion. - Sanitization: The instructions do not define any sanitization, escaping, or validation steps for the plan content before it is interpolated into the executable prompt context.
Audit Metadata