planning-with-files-zh
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses platform hooks (
UserPromptSubmit,PreToolUse,PostToolUse,Stop) to automate the execution of shell and PowerShell commands. These commands are used to manage planning files and ensure the agent's context is updated throughout the task lifecycle. - [COMMAND_EXECUTION]: The
Stophook dynamically searches for and executes completion scripts (check-complete.ps1orcheck-complete.sh) within the environment's plugin cache. This behavior allows the skill to finalize its state regardless of platform-specific installation paths. - [PROMPT_INJECTION]: The skill implements an automated context injection mechanism via the
PreToolUsehook, which reads thetask_plan.mdfile before every tool call. This provides the agent with persistent memory but creates an indirect prompt injection surface. The skill author includes specific 'Security Boundaries' instructions to mitigate this risk by advising the agent not to write untrusted data into the planning files. - Ingestion points:
task_plan.mdvia thePreToolUsehook inSKILL.md. - Boundary markers: No syntactic delimiters are used in the automated hook, but logic is provided in the documentation's safety rules.
- Capability inventory: Full access to standard file manipulation and shell tools (
Read,Write,Edit,Bash,Glob,Grep). - Sanitization: Content from planning files is injected directly into the prompt without automated escaping or filtering.
- [DATA_EXFILTRATION]: The
session-catchup.pyscript reads local application data from~/.claude/projects/and~/.codex/sessions/to restore conversation history. This constitutes data exposure of internal logs to the agent, though it is used for the intended purpose of session recovery and does not involve external network transmission.
Audit Metadata