planning-with-files
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill creates a significant indirect prompt injection surface through its state management mechanism.
- Ingestion points: The
PreToolUsehook defined inSKILL.mdautomatically executescat task_plan.mdto inject the first 30 lines of the planning file into the context window before everyWrite,Edit,Bash,Read,Glob, orGrepoperation. - Boundary markers: The injected content lacks delimiters or instructions to the model to treat the file content as data rather than instructions.
- Capability inventory: The skill grants access to powerful tools including
Bash,Write, andEdit, which can be used to further compromise the environment if the agent follows injected instructions. - Sanitization: There is no sanitization or validation of the content within
task_plan.md. If the agent is tricked into writing untrusted data (e.g., from a web search) into the plan file, it creates a persistent instruction loop. - [COMMAND_EXECUTION]: The skill utilizes lifecycle hooks to execute local scripts and shell commands.
- The
Stophook inSKILL.mdexecutescheck-complete.ps1usingpowershell.exe -ExecutionPolicy Bypass, which intentionally lowers the security posture on Windows systems to run the skill's local scripts. - The
scripts/session-catchup.pyscript accesses sensitive internal application data located in~/.claude/projects/. It parses.jsonlfiles containing previous conversation history and tool outputs. While this is the intended functionality for session recovery, it exposes potentially sensitive information from previous interactions to the current agent context.
Audit Metadata