Skills
skills/jpropato/siba/planning-with-files/Gen Agent Trust Hub

planning-with-files

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • Indirect Prompt Injection (LOW): The skill implements a workflow where the agent's 'working memory' (task_plan.md) is automatically injected into the prompt context via hooks, creating a surface for potential instruction override.\n
  • Ingestion points: The PreToolUse hook in SKILL.md executes cat task_plan.md to refresh the agent's memory whenever Write, Edit, or Bash tools are about to be used.\n
  • Boundary markers: The output of the cat command is presented to the agent without boundary markers (like XML tags) or system instructions to ignore embedded commands within that file.\n
  • Capability inventory: The skill facilitates the use of high-impact capabilities including Bash (shell access) and Write/Edit (file system modification), as specified in the allowed-tools section of SKILL.md.\n
  • Sanitization: There is no sanitization or filtering of the content within task_plan.md. If the agent is tricked into writing malicious instructions (e.g., from a web search result) into the plan file, these instructions would be displayed with high priority in the context immediately preceding a tool call.\n- Command Execution (SAFE): The skill uses local shell scripts (scripts/init-session.sh and scripts/check-complete.sh) to automate file management. Analysis of these scripts shows they perform standard file operations (grep, cat, heredocs) without dangerous dynamic evaluation or privilege escalation.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:27 PM