planning-with-files-es
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Automated execution of local management scripts via platform hooks. The skill utilizes UserPromptSubmit, PreToolUse, PostToolUse, and Stop hooks to run session-catchup.py and other maintenance scripts (init-session.sh, check-complete.sh). These scripts facilitate session state persistence and provide reminders for the agent to update its plan.
- [PROMPT_INJECTION]: Identification of an indirect prompt injection surface. The skill author explicitly warns that task_plan.md is a high-value target for injection because it is automatically read via a PreToolUse hook.
- Ingestion points: The agent reads from task_plan.md, findings.md, and progress.md.
- Boundary markers: Not present in the file structure itself, but the skill includes specific instructions to the agent to treat all external content as untrusted.
- Capability inventory: The skill has access to Bash, Read, Write, Edit, Glob, and Grep tools.
- Sanitization: The SKILL.md includes a 'Security Limits' section instructing the agent to never execute imperative text from external sources and to only write untrusted content to findings.md to prevent amplification.
Audit Metadata