planning-with-files
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it automatically reads and injects the contents of 'task_plan.md' into the agent's context window via a PreToolUse hook. If an attacker can influence the contents of this file through other tools or data ingestion, they could inject instructions that the agent might follow in subsequent turns.
- Ingestion points: Content from 'task_plan.md' is read using 'cat' in the 'PreToolUse' hook defined in 'SKILL.md'.
- Boundary markers: There are no explicit boundary markers or instructions to disregard embedded commands when the file content is read.
- Capability inventory: The skill allows powerful tools including 'Bash', 'Write', and 'Edit', which could be leveraged if an injection is successful.
- Sanitization: No sanitization or validation is performed on the content of 'task_plan.md' before it is injected into the context.
- [COMMAND_EXECUTION]: The skill executes local shell commands and scripts ('scripts/init-session.sh' and 'scripts/check-complete.sh') to initialize planning files and verify task completion. These operations are used for legitimate session management and use standard Unix utilities like 'grep' and 'cat' on local files within the working directory.
Audit Metadata