The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The skill utilizes several lifecycle hooks to execute shell commands and scripts.
The Stop hook executes ${CLAUDE_PLUGIN_ROOT}/scripts/check-complete.sh.
The PreToolUse hook executes cat task_plan.md 2>/dev/null | head -30 || true every time the agent attempts to use Write, Edit, or Bash tools.
While these commands appear functional, executing shell scripts provided within the skill package or reading local files via shell carries inherent risks if the environment or the files themselves are compromised.
PROMPT_INJECTION (LOW): The skill is highly susceptible to indirect prompt injection via the task_plan.md file.
Ingestion points: The PreToolUse hook automatically reads the first 30 lines of task_plan.md and outputs them to the agent's session every time a critical tool is used.
Boundary markers: No delimiters or instructions are provided to the agent to treat this file content as untrusted data; it is presented as the primary "plan."
Capability inventory: The agent has access to high-privilege tools including Bash, Write, Edit, and WebFetch.
Sanitization: No sanitization is performed. An attacker who can influence the content of task_plan.md (e.g., via a git pull or a malicious file download) can inject instructions that the agent will execute with full tool access.
DATA_EXPOSURE (LOW): While the skill primarily works with local planning files, the combination of WebFetch and the ability to read project files creates a potential path for data exfiltration if the agent is manipulated via the aforementioned injection surface.

planning-with-files