planning-with-files
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on platform hooks (UserPromptSubmit, PreToolUse, PostToolUse, Stop) to automatically execute shell commands and local scripts, such as check-complete.sh and init-session.sh, which are bundled with the skill. These run without user interaction when tools are invoked or the session ends.
- [DATA_EXFILTRATION]: The session-catchup.py script accesses sensitive local application data directories (e.g., ~/.opencode/sessions/ and ~/.local/share/opencode/storage) to read previous conversation history. While this is used for context recovery, it exposes historical prompts and tool outputs to the current agent context.
- [PROMPT_INJECTION]: The skill introduces a surface for indirect prompt injection (Category 8) through its session recovery mechanism. Evidence: 1. Ingestion point: session-catchup.py reads historical session logs. 2. Boundary markers: Absent in the recovery script. 3. Capability inventory: The skill has access to powerful tools like Bash, Write, and Edit. 4. Sanitization: No sanitization or filtering is applied to the retrieved history.
Audit Metadata