planning-with-files-de
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes platform hooks (PreToolUse, PostToolUse, and Stop) to automatically execute shell commands. This includes reading local plan files before tool calls and running verification scripts (Bash or PowerShell) when the session terminates. On Windows, it uses the -ExecutionPolicy Bypass flag to ensure script execution.
- [COMMAND_EXECUTION]: A local Python script, session-catchup.py, is invoked to parse session logs from ~/.claude/projects/ or ~/.codex/sessions. This facilitates context restoration but involves reading historical conversation data stored on the filesystem.
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by automatically injecting the contents of task_plan.md into the agent's context through a PreToolUse hook. To mitigate this risk, the skill instructions explicitly warn the agent and user against writing untrusted content from external sources into the planning files.
Audit Metadata