The Agent Skills Directory

[Privilege Escalation] (HIGH): The skill's Stop hook and manual recovery instructions utilize powershell -ExecutionPolicy Bypass and pwsh -ExecutionPolicy Bypass. This explicitly instructs the system to ignore security configurations designed to prevent the execution of untrusted scripts, creating a significant privilege escalation vector.\n- [Dynamic Execution] (MEDIUM): The skill executes multiple shell and python scripts (session-catchup.py, check-complete.sh) using paths derived from environment variables like CLAUDE_PLUGIN_ROOT. This relies on the security of the environment and the installation directory, as execution from computed paths is a common vector for local privilege escalation or persistence if the directory is writable.\n- [Indirect Prompt Injection] (LOW): The skill implements a '2-Action Rule' requiring the agent to save findings from WebFetch and WebSearch into findings.md. 1. Ingestion points: WebFetch and WebSearch results are processed. 2. Boundary markers: None are specified for the saved content. 3. Capability inventory: The agent has Bash and Write access. 4. Sanitization: There are no instructions for sanitizing or escaping the content before writing it to markdown files that are later re-read to influence agent logic.\n- [Data Exposure] (LOW): The PreToolUse hook automatically executes cat task_plan.md before any tool call (including WebFetch). While intended to maintain context, this pattern automatically exposes internal planning data to the context window just before the agent interacts with potentially malicious external web services.

planning-with-files