planning-with-files
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill automatically ingests untrusted data from the local filesystem into the model's context.
- Ingestion Points: The PreToolUse hook in SKILL.md executes 'cat task_plan.md' before tool calls, and the scripts/check-complete.sh script reads the same file during the Stop hook.
- Boundary Markers: Absent. No delimiters or instructions are provided to the agent to distinguish plan content from system instructions.
- Capability Inventory: The skill grants access to powerful tools including Bash, Write, Edit, and WebSearch.
- Sanitization: Absent. Content from task_plan.md is processed directly without validation or filtering.
Audit Metadata