The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes automated lifecycle hooks (PreToolUse, PostToolUse, and Stop) to execute local shell and PowerShell scripts. These scripts manage task state and initialization, with PowerShell execution specifically using the -ExecutionPolicy Bypass flag.
[PROMPT_INJECTION]: The PreToolUse hook is configured to automatically read and inject the first 30 lines of task_plan.md into the agent's context before every tool invocation (Write, Edit, Bash, Read, etc.). This mechanism facilitates persistent indirect prompt injection, as any malicious instructions successfully placed in the plan file will be repeatedly re-executed by the agent.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its core workflow of saving external research findings into files that are subsequently read back into the prompt context.
Ingestion points: Untrusted data from web searches or external files is written to findings.md and task_plan.md within the project directory.
Boundary markers: While the skill's instructions recommend treating external content as untrusted, no technical boundary markers or 'ignore' instructions are automatically applied to the content within the planning files themselves.
Capability inventory: The agent possesses high-privilege capabilities including Bash command execution and arbitrary file system access via Write and Edit tools.
Sanitization: No sanitization or validation is performed on data written to or read from the planning files.
[DATA_EXPOSURE]: The session-catchup.py script accesses the user's local application data directory (~/.claude/projects/) to read and summarize JSONL conversation logs. This exposes historical interaction data and previous session context to the current agent session for the purpose of state recovery.

planning-with-files-zht