planning-with-files
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill implements a 'Recitation' pattern that automatically reads
task_plan.mdbefore everyBash,Write, orEdittool call via thePreToolUsehook. - Ingestion points:
task_plan.mdis read into the context window automatically. - Boundary markers: No delimiters or safety instructions are used when injecting the file content back into the prompt.
- Capability inventory: The skill allows full
Bash,Write, andEdittool access. - Sanitization: There is no sanitization or validation of the content within the planning files before it is read.
- Risk: If the agent performs a
WebSearchorWebFetch(both allowed tools) and saves attacker-controlled instructions intofindings.mdortask_plan.md, those instructions will be executed with high privilege in the next loop. - Command Execution (LOW): The skill uses local shell scripts (
scripts/init-session.sh,scripts/check-complete.sh) and hooks to manage planning state. - Evidence: The
Stophook executes${CLAUDE_PLUGIN_ROOT}/scripts/check-complete.shand thePreToolUsehook executescat task_plan.md. - Assessment: These commands are fixed and do not involve dynamic interpolation of untrusted data into the shell command string itself, though the output of the command is the source of the prompt injection risk noted above.
Recommendations
- AI detected serious security threats
Audit Metadata