The Agent Skills Directory

[DATA_EXFILTRATION]: The skill includes a session recovery script that accesses private application data outside the immediate project workspace.
Evidence: scripts/session-catchup.py constructs paths to ~/.claude/projects/ to locate and parse .jsonl session log files.
Impact: This script reads and extracts message content and tool usage from previous sessions, potentially exposing sensitive information, secrets, or context that was intended to be cleared.
[COMMAND_EXECUTION]: The skill utilizes lifecycle hooks to execute arbitrary shell and PowerShell commands on the host environment.
Evidence: The Stop hook in SKILL.md executes a multi-line shell script that performs OS detection and invokes internal scripts using sh, pwsh, or powershell with -ExecutionPolicy Bypass.
Evidence: The PreToolUse hook executes cat task_plan.md via a shell command whenever file-related tools are used.
[PROMPT_INJECTION]: The skill implements a persistent 'external memory' pattern that is vulnerable to indirect prompt injection through the ingestion of untrusted data.
Ingestion points: findings.md, task_plan.md (via planning-with-files.mdc).
Boundary markers: The templates do not provide explicit delimiters or instructions to ignore embedded commands within the planning files.
Capability inventory: The skill has access to Bash, Write, Edit, WebSearch, and WebSearch tools, allowing for significant downstream impact if a malicious payload is summarized from the web into a planning file.
Sanitization: None present; the skill encourages direct storage of 'Visual/Browser Findings' into text files which are later re-read into the context.

planning-with-files