The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes automated hooks to trigger script execution within the environment. The PreToolUse hook executes a cat command on every tool call, and the Stop hook runs external scripts (check-complete.ps1 or check-complete.sh) to verify task completion. These scripts use PowerShell execution policy bypasses or standard shell execution to perform their checks.
[PROMPT_INJECTION]: The skill architecture creates a significant surface for Indirect Prompt Injection. The PreToolUse hook automatically reads and injects the first 30 lines of task_plan.md into the agent's context whenever a tool is used. If malicious instructions from an external source (such as an adversarial web page) are written to the plan, they will be repeatedly processed as instructions by the agent.
Ingestion points: Content from task_plan.md is automatically read into the context via the PreToolUse hook defined in SKILL.md.
Boundary markers: While the SKILL.md file includes a "Security Boundary" section advising the agent to treat external content as untrusted, there are no technical delimiters used to wrap the injected file content to isolate it from the system prompt.
Capability inventory: The skill grants access to powerful tools including Bash, Write, and Edit, which increases the potential impact of a successful injection.
Sanitization: No technical sanitization or validation of the content within the planning files is performed before it is injected into the context.
[DATA_EXFILTRATION]: The session-catchup.py script is designed to access sensitive user data by reading session history logs. It resolves and parses JSONL files stored in the user's home directory (under ~/.claude/projects/ or ~/.codex/sessions) to summarize previous interactions. Accessing these private files exposes the user's conversation history to the agent context.

planning-with-files-zh