planning-with-files
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (LOW): The skill is vulnerable to indirect prompt injection via the session recovery mechanism.
- Ingestion points:
scripts/session-catchup.pyreads conversation history from JSONL files in~/.claude/projects/. - Boundary markers: The script uses
--- UNSYNCED CONTEXT ---as a delimiter but does not include explicit instructions for the agent to ignore potentially malicious embedded commands within the history. - Capability inventory: The skill has access to powerful tools including
Bash,Write, andEdit, and executes shell hooks duringStopandPreToolUseevents. - Sanitization: The script performs minimal sanitization (excluding specific tags like
<local-command) but generally presents raw text from previous sessions back to the LLM. - Command Execution (SAFE): The skill utilizes local shell and PowerShell scripts for task verification and initialization.
- Evidence: Hooks in
SKILL.mdexecutescripts/check-complete.shandscripts/check-complete.ps1. - Context: These scripts are bundled with the skill and perform benign logic (counting status markers in markdown files). The use of
-ExecutionPolicy Bypassin PowerShell is a standard requirement for agent-run scripts and is used only on local skill files. - Data Exposure (SAFE): The skill accesses the agent's own project history directory (
~/.claude/projects/). While this directory contains sensitive conversation data, accessing it is the primary and stated purpose of thesession-catchup.pyscript to facilitate context recovery. No data exfiltration to external domains was detected.
Audit Metadata