Skills
skills/2898117012/agent-skills/planning-with-files/Gen Agent Trust Hub

planning-with-files

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION] (HIGH): The script scripts/session-catchup.py reads internal Claude session history files stored in ~/.claude/projects/. These JSONL files contain the full history of past interactions, including tool inputs and outputs, exposing potentially sensitive data, personal info, or credentials from other sessions to the current agent context.
  • [PROMPT_INJECTION] (HIGH): The skill design relies on the agent following instructions from external files like task_plan.md that it populates during execution. This creates a massive surface for Indirect Prompt Injection if the agent processes untrusted data (e.g., from WebSearch) and writes it to these planning files.
  • Ingestion points: Read, Grep, PreToolUse hooks, and the session-catchup.py recovery script.
  • Boundary markers: None present in templates or instructions.
  • Capability inventory: Bash, Write, Edit, WebFetch, WebSearch.
  • Sanitization: No validation or escaping of external content before it is interpolated into planning files or re-read into the prompt.
  • [COMMAND_EXECUTION] (MEDIUM): The skill utilize automated shell hooks and PowerShell scripts executed with -ExecutionPolicy Bypass. The automatic execution of scripts upon tool use or session termination, combined with security policy bypasses, increases the risk of unauthorized or unintended command execution.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 08:16 AM