planning-with-files
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability surface. 1. Ingestion points: Data from WebFetch and WebSearch is written to findings.md and task_plan.md via the agent's research loop. 2. Boundary markers: Absent; data is stored as standard markdown without delimiters. 3. Capability inventory: The skill enables high-privilege Bash, Write, and Edit tools. 4. Sanitization: Absent. The skill's core instructions (e.g., 'Read before major decisions') mandate that the agent ingest potentially poisoned content immediately before using the Bash tool.
- [COMMAND_EXECUTION] (MEDIUM): Automatic execution of shell commands and scripts via lifecycle hooks. The PreToolUse hook executes 'cat task_plan.md' automatically on every use of Bash, Write, or Edit. The Stop hook executes a local script at ${CLAUDE_PLUGIN_ROOT}/scripts/check-complete.sh when the session ends.
Recommendations
- AI detected serious security threats
Audit Metadata