Skills
skills/marcoax/skills/planning-with-files/Gen Agent Trust Hub

planning-with-files

Pass

Audited by Gen Agent Trust Hub on Apr 11, 2026

Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill incorporates a session recovery mechanism via the session-catchup.py script, which accesses and reads the agent's internal conversation history stored in ~/.claude/projects/. This involves reading sensitive session logs to restore task context. While the data remains local and is used for the stated purpose of session recovery, it constitutes an exposure of previous interaction data.
  • [COMMAND_EXECUTION]: The skill defines automation hooks (PreToolUse, PostToolUse, Stop) and provides instructions for executing shell commands and scripts (Python and PowerShell). The Stop hook automatically runs verification scripts when the session ends, utilizing a PowerShell execution policy bypass (-ExecutionPolicy Bypass) on Windows systems.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it is designed to ingest and act upon data from markdown files (task_plan.md, findings.md) and session logs. Malicious instructions placed in these files could influence the agent's subsequent actions.
  • Ingestion points: The agent reads from task_plan.md, findings.md, progress.md, and session log files (.jsonl).
  • Boundary markers: No boundary markers or specific instructions to ignore embedded prompts are present in the provided templates.
  • Capability inventory: The skill uses powerful tools including Bash, Write, Edit, and WebSearch.
  • Sanitization: Content read from the filesystem or history logs is not sanitized before being processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 11, 2026, 06:50 AM