planning-with-files
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONNO_CODE
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill implements a 'Manus-style' planning workflow that relies on 'Attention Manipulation Through Repetition' (as described in
reference.md). This methodology explicitly directs the agent to store external research findings into local files (notes.md,task_plan.md) and re-read them to refresh goals before every decision. This creates a high-risk surface for Indirect Prompt Injection where an attacker can influence the agent's primary goals via malicious external content. - Ingestion points: External research findings, web search results, and source URLs (documented in
SKILL.mdandexamples.md). - Boundary markers: Absent. The provided templates for
notes.mdandtask_plan.mddo not utilize delimiters or specific instructions to ignore embedded commands in the processed data. - Capability inventory: Extensive file system interaction (
write,edit,append) and autonomous decision-making based on the content of those files. - Sanitization: Absent. The workflow encourages storing large outputs directly from sources into the filesystem.
- COMMAND_EXECUTION (LOW): The skill documentation (
SKILL.md,examples.md) provides examples of shell commands to manage the planning files. While these are descriptive and standard for agent operations, they emphasize frequent file system modifications which increase the impact of any injected instructions. - NO_CODE (SAFE): No executable scripts, binary files, or dependency manifests (e.g.,
package.json,requirements.txt) were detected. The skill is entirely composed of Markdown-based instructional content.
Audit Metadata