planning-with-files
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill creates a feedback loop where untrusted data from external sources is stored in persistent files and then used to influence agent reasoning.
- Ingestion points: Untrusted content enters via research findings written to
notes.mdand error logs written totask_plan.md. - Boundary markers: Absent. The templates do not use delimiters or instructions to treat the file content as untrusted data.
- Capability inventory: The agent is explicitly instructed to 'Read task_plan.md' and 'refresh goals' before every major action, meaning content in these files directly influences tool selection and execution.
- Sanitization: None. Malicious instructions contained in a webpage or a tool error could be persisted into the agent's 'working memory' and executed during the next decision loop.
Audit Metadata