planning-with-files
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes several local scripts (.sh, .ps1, .py) for its core functionality. Notably, the
Stophook inSKILL.mdexecutespowershell.exe -NoProfile -ExecutionPolicy Bypass, which is a common technique to circumvent local security policies that restrict script execution. - [DATA_EXFILTRATION]: The
session-catchup.pyscript automatically searches for and reads historical session logs from the local system (e.g.,~/.opencode/sessions/). This behavior can expose sensitive information, credentials, or private data from previous unrelated tasks if they are associated with the same project context. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its session catchup mechanism. \n
- Ingestion points:
session-catchup.pyreads untrusted data from historical session log files (.json and .jsonl). \n - Boundary markers: The script prefixes ingested content with text headers such as
--- UNSYNCED CONTEXT ---, but it lacks robust delimiters or explicit instructions to the agent to ignore any commands or malicious payloads contained within that historical text. \n - Capability inventory: The skill possesses extensive capabilities, including the ability to execute
Bashcommands and perform file operations (Write,Edit,Read). \n - Sanitization: No sanitization or filtering is applied to the message content retrieved from previous sessions before it is injected into the current prompt.
Audit Metadata