planning-with-files
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The
scripts/session-catchup.pyscript accesses internal agent session history files located in~/.claude/projects/and~/.codex/sessions/. This allows the agent to restore context from previous interactions by reading session interaction logs from the user's home directory. While intended for local context recovery, these logs contain a record of user prompts and agent responses. - [COMMAND_EXECUTION]: The skill requires the agent to execute several bundled local scripts (
init-session.sh,check-complete.sh,session-catchup.py) to manage planning files and recover session context within the local environment. - [PROMPT_INJECTION]: The core workflow relies on the agent reading and following goals defined in project files (
task_plan.md,findings.md). This creates a surface for indirect prompt injection. - Ingestion points: The agent is instructed to read from project planning files and the output of the session recovery script.
- Boundary markers: The templates do not include explicit delimiters or instructions to ignore embedded commands within the planning files.
- Capability inventory: The skill supports file modification and the execution of bundled shell and Python scripts.
- Sanitization: Content from these files is directly interpolated into the agent's context without sanitization or validation.
Audit Metadata