planning-with-files
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes lifecycle hooks to run shell commands and internal scripts. It executes
cat task_plan.mdto provide context during tool use and calls a vendor-provided script${CLAUDE_PLUGIN_ROOT}/scripts/check-complete.shwhen the session terminates.\n- [PROMPT_INJECTION]: The skill's architecture creates an indirect prompt injection surface by integrating external data into the agent's workflow.\n - Ingestion points: The agent ingests data from untrusted sources via
WebFetchandWebSearch, as well as from persistent local files liketask_plan.mdandfindings.md(SKILL.md).\n - Boundary markers: There are no explicit delimiters or warnings instructing the agent to ignore instructions embedded in the planning files or web content.\n
- Capability inventory: The skill grants access to the
BashandWritetools, which could be leveraged if the agent follows malicious instructions found in processed data.\n - Sanitization: The skill does not implement any validation or sanitization for data retrieved through its tools or read from the filesystem.\n- [EXTERNAL_DOWNLOADS]: The skill allows the use of
WebFetchandWebSearchtools, enabling the agent to download and process content from external web domains.
Audit Metadata