planning-with-files
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes automated hooks (PreToolUse, PostToolUse, and Stop) to execute shell commands. Specifically, the Stop hook runs powershell.exe with the -ExecutionPolicy Bypass flag to execute a local verification script, bypassing standard operating system security protections for script execution.
- [DATA_EXFILTRATION]: The scripts/session-catchup.py script accesses and reads internal application data stored in ~/.claude/projects/. It parses session history files (.jsonl) to extract previous conversation content. While used for session recovery, this involves accessing sensitive internal application storage containing historical user and assistant interactions.
- [PROMPT_INJECTION]: The session recovery logic in scripts/session-catchup.py creates an attack surface for indirect prompt injection.
- Ingestion points: The script reads historical conversation data from previous session logs in ~/.claude/projects/.
- Boundary markers: Extracted text is presented to the agent with simple labels (USER/CLAUDE), which lacks the robust delimiters necessary to prevent the model from obeying instructions embedded in old logs.
- Capability inventory: The skill grants access to highly capable tools including Bash, Write, Edit, and WebFetch, which could be leveraged if an injection is successful.
- Sanitization: No sanitization or filtering of historical text is performed before it is re-introduced into the active conversation context.
Audit Metadata