planning-with-files
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill defines a 'Stop' hook that automatically executes local shell or PowerShell scripts to verify task completion. In Windows environments, it utilizes the
-ExecutionPolicy Bypassflag, which is a common but insecure practice that allows the execution of local scripts regardless of the system's security configuration.\n- [PROMPT_INJECTION]: The skill's architecture creates a significant surface for indirect prompt injection. By design, the agent is instructed to fetch information from the web and record it in planning files, which it then re-reads to guide its actions.\n - Ingestion points: Files like
task_plan.mdandfindings.mdare frequently read by the agent, often triggered by tool hooks.\n - Boundary markers: The templates lack strict delimiters or 'ignore' instructions to distinguish between the agent's internal planning and untrusted data imported from external sources.\n
- Capability inventory: The skill possesses high-privilege capabilities including
Bash,Write,Edit,Read, and network tools likeWebFetch.\n - Sanitization: There is no mechanism to sanitize or validate data before it is written to the planning files and subsequently processed as instruction context.\n- [DATA_EXFILTRATION]: The
session-catchup.pyscript is designed to recover context from previous sessions by reading session history files stored in~/.claude/projects/. This involves accessing sensitive local logs containing previous user-agent interactions. While this is used locally to populate the current session's context for recovery purposes, it exposes potentially sensitive historical data to the agent. No network-based exfiltration was found in the scripts.
Audit Metadata