The Agent Skills Directory

[Indirect Prompt Injection] (LOW): The skill utilizes a PreToolUse hook to automatically read the first 30 lines of task_plan.md into the agent's context. If the agent is manipulated into writing malicious instructions to this file (e.g., after reading a malicious website), those instructions would be re-injected before every write, edit, or bash command.
Ingestion points: task_plan.md (read via cat in SKILL.md hooks).
Boundary markers: Absent; the file content is echoed directly into the prompt stream without delimiters.
Capability inventory: Bash, Write, Edit, WebFetch, WebSearch.
Sanitization: None; the skill reads and injects raw text from the filesystem.
[Command Execution] (SAFE): The skill includes internal shell scripts (scripts/init-session.sh and scripts/check-complete.sh) to initialize the planning environment and verify task completion. These scripts use standard system utilities and do not process untrusted external input in an unsafe manner.

planning-with-files