planning-with-files
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Data Exposure (HIGH): The session-catchup.py script targets the ~/.claude/projects/ directory to read session history files (.jsonl). This directory contains sensitive logs of user interactions, potentially including private data, secrets, or PII from previous conversations.\n- Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection as it processes untrusted content from web searches and re-injects stale session data into the current context without sanitization.\n
- Ingestion points: session-catchup.py (reads previous session logs), WebSearch/WebFetch results.\n
- Boundary markers: Absent (the skill does not use XML tags or clear delimiters for processed data).\n
- Capability inventory: Bash, Write, Edit, Read (allowing an attacker to execute commands or modify local project files).\n
- Sanitization: Absent (data is directly interpolated and presented to the agent for recovery/planning purposes).\n- Command Execution (MEDIUM): The skill utilizes shell and PowerShell scripts for initialization and verification tasks. The Windows implementation uses -ExecutionPolicy Bypass, which is a security control relaxation often used to run unsigned scripts.
Recommendations
- AI detected serious security threats
Audit Metadata