planning-with-files
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill creates a significant attack surface for indirect prompt injection by having the agent ingest untrusted data (research) and store it in persistent files that are later re-read to influence decisions and execution phases.
- Ingestion points: The workflow relies on reading
task_plan.mdandnotes.md(which contain data gathered during research) to guide future actions. - Boundary markers: Absent. The instructions do not define delimiters or specific warnings for the agent to ignore instructions embedded within the research data stored in
notes.md. - Capability inventory: The skill uses file system operations (Read, Write, Edit) and explicitly includes an "Execute/build" phase in its planning template, which may involve running code based on the potentially poisoned plan.
- Sanitization: Absent. No sanitization or validation of external content is specified before it is incorporated into the persistent plan.
- [Command Execution] (LOW): The skill's documentation provides specific bash commands (
Read,Edit,Write) for the agent to use. These are standard operations for file management within the workspace and are consistent with the skill's stated purpose. - [Persistence Mechanisms] (LOW): While the skill promotes "persistent markdown files," this refers to maintaining task state on disk rather than malicious persistence (like backdoor installation). However, if the plan is poisoned via injection, the malicious instructions will persist across agent sessions until the file is deleted.
Audit Metadata