planning-with-files

Pass

Audited by Gen Agent Trust Hub on Mar 22, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it instructs the agent to gather research findings into 'notes.md' and subsequently read that file to generate final deliverables. If the research process ingests malicious instructions from external sources, those instructions could influence the agent's behavior when processing the file. \n
  • Ingestion points: 'notes.md' and 'task_plan.md' (via the Read and Edit tools).\n
  • Boundary markers: Absent. There are no instructions or delimiters provided to ensure the agent ignores or treats embedded instructions in these files as data only.\n
  • Capability inventory: 'Bash', 'Write', 'Edit', 'Read', 'Grep', and 'Glob' tools are accessible to the agent.\n
  • Sanitization: Absent. The skill does not include steps to sanitize, escape, or validate content retrieved from external sources before saving it to the persistent markdown files. \n- [COMMAND_EXECUTION]: The skill configuration explicitly allows the use of the 'Bash' tool. While intended for research and file management, this provides a broad execution surface that could be exploited if the agent's context is subverted through other vectors such as indirect prompt injection.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 22, 2026, 06:16 PM
Security Audit — agent-trust-hub — planning-with-files