pi-planning-with-files
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute several local scripts provided within its installation directory, such as
scripts/session-catchup.py,scripts/init-session.sh, andscripts/check-complete.sh. These scripts are used for administrative tasks like initializing project files and recovering session state.\n- [DATA_EXFILTRATION]: Thescripts/session-catchup.pyscript accesses historical conversation data stored locally in the environment (e.g.,~/.claude/projects/). This data is read to extract previous user and assistant messages for the purpose of context restoration. The information is printed to the standard output for the agent to read and remains within the local environment; no network exfiltration patterns were detected.\n- [PROMPT_INJECTION]: The session recovery mechanism introduces a surface for indirect prompt injection because it re-introduces historical conversation snippets into the current session.\n - Ingestion points: The
scripts/session-catchup.pyscript reads from local session logs stored in~/.claude/projects/.\n - Boundary markers: The script's output uses a header
--- UNSYNCED CONTEXT ---to delimit the recovered history, but individual messages within that history are not uniquely delimited or wrapped in safety instructions.\n - Capability inventory: The skill utilizes standard agent capabilities including shell command execution (
Bash), filesystem modifications (Write,Edit), and file reading (Read).\n - Sanitization: The script does not perform sanitization or filtering of the historical message content, relying on the agent's internal safety filters during processing.
Audit Metadata