The Agent Skills Directory

[COMMAND_EXECUTION]: The Stop hook in SKILL.md uses recursive search commands (Get-ChildItem -Recurse in PowerShell and ls with wildcards in Bash) to find and execute scripts within the ~/.claude/plugins/cache directory. Executing code from paths computed or discovered at runtime is a high-risk pattern that can be exploited if an attacker can place a malicious script in the searched directory.
[DATA_EXFILTRATION]: The scripts/session-catchup.py script accesses and reads internal session logs from ~/.claude/projects/ and ~/.codex/sessions. These files contain private conversation history and metadata from previous interactions. Accessing this sensitive data outside the immediate project context constitutes a data exposure risk.
[PROMPT_INJECTION]: The skill uses a PreToolUse hook to automatically inject the contents of task_plan.md into the agent's context window before every tool invocation. This creates a vulnerability surface for indirect prompt injection; if the agent is directed to save untrusted data (e.g., from a website) into the planning files, those malicious instructions will be repeatedly re-injected into the context window, potentially subverting the agent's behavior.
Ingestion points: Files task_plan.md, findings.md, and progress.md are populated with data from the agent's activities, including potentially untrusted external sources.
Boundary markers: The documentation includes a 'Security Boundary' section advising the agent to treat external content as untrusted, but no mechanical enforcement is present.
Capability inventory: The skill has access to Bash, Write, Edit, and Read tools, which can be misused if an injection is successful.
Sanitization: There is no automated sanitization or filtering of the planning file content before it is injected into the context via hooks.

planning-with-files-zht