70High
The skill generates plans with arbitrary shell commands and is
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Writing Plans: Write comprehensive implementation plans assuming the engineer has zero context for our codebase and questionable taste. Document everything they need to know: which files to touch for each task, code, testing, docs they might need to check, how to test it. Give them the whole plan as bite-sized tasks. DRY. YAGNI. TDD. Frequent commits.
Actually does
This skill generates a detailed Markdown implementation plan for software development tasks. The plan specifies exact file paths to create/modify, provides complete code snippets for implementation and testing, and includes precise `pytest` and `git` commands for each bite-sized step. It saves the generated plan to a specified Markdown file and then offers options for execution using other AI skills.
Skill Info
Nameobra/superpowers/writing-plans
Registrygithub
Versionf9b088f7b3a6
PURLpkg:github/obra/superpowers@f9b088f7b3a6?skill=writing-plans
Stars180,084
Installs81,600
Source
SHA-25690056bad3d5f...
SHA-1be008098f3d6...
MD53eccd43deb42...
TLSH00c1b8267781...
ssdeep96:d1zZo0bLb...
Size6,046 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Assessments (1)
AI Agent Traps ↗Indirect Command Execution via Generated Planhighcommand execution
The skill generates implementation plans that include shell commands (e.g., `pytest`, `git`). If the initial prompt to this skill is crafted maliciously, it could lead to the generation of a plan containing arbitrary commands, which would then be executed by a subsequent agent or skill.
90% confidenceline 100
Run: `pytest tests/path/test.py::test_name -v` git add tests/path/test.py src/path/file.py git commit -m "feat: add specific feature"
Path Traversal in Plan File Namingmediumpersistence
The skill saves generated plans to `docs/superpowers/plans/YYYY-MM-DD-<feature-name>.md`. If the `<feature-name>` is derived from unsanitized user input, it could be vulnerable to path traversal, allowing the agent to write files to arbitrary locations on the filesystem.
80% confidenceline 20
Save plans to: `docs/superpowers/plans/YYYY-MM-DD-<feature-name>.md`
Version History (4)
Dependencies (1)
superpowers.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/writing-plans)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/writing-plans"><img src="https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/writing-plans.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/writing-plans.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow