planning-with-files
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands and PowerShell scripts within platform hooks to manage task state. For instance, SKILL.md defines a Stop hook that executes check-complete.ps1 or check-complete.sh to report completion status using the -ExecutionPolicy Bypass flag for Windows compatibility.\n- [COMMAND_EXECUTION]: The PreToolUse and UserPromptSubmit hooks in SKILL.md use standard Unix utilities like cat, head, and tail to inject planning file content into the agent's context window at runtime.\n- [PROMPT_INJECTION]: The skill's architecture creates a surface for Indirect Prompt Injection by automatically reading user-edited or tool-generated files (task_plan.md, findings.md) into the prompt via hooks. \n
- Ingestion points: File content from task_plan.md and progress.md is read into the context window during UserPromptSubmit, PreToolUse, and PostToolUse events as defined in SKILL.md.\n
- Boundary markers: The hooks use descriptive headers such as [planning-with-files] ACTIVE PLAN and === recent progress === to separate injected file content from other context.\n
- Capability inventory: The skill is granted Read, Write, Edit, Bash, Glob, and Grep tools, providing a wide range of filesystem and execution capabilities.\n
- Sanitization: The skill does not implement automated sanitization but includes a 'Security Boundary' section in SKILL.md that instructs the agent to treat external content as untrusted and avoid writing it to the high-priority task_plan.md file.\n- [SAFE]: The session-catchup.py script accesses the ~/.claude/projects/ directory to recover conversation history from previous sessions. This behavior is consistent with the skill's primary purpose of session recovery and does not involve external network communication or exfiltration of the data.
Audit Metadata