planning-with-files
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a PreToolUse hook that automatically executes 'cat task_plan.md' before every tool call. This design pattern ensures the task plan is in the agent's recent context but creates a surface for indirect prompt injection if untrusted content is written to that file.
- Ingestion points: task_plan.md (read via PreToolUse hook in SKILL.md).
- Boundary markers: Absent; the file content is directly injected into the prompt context via the hook command.
- Capability inventory: The agent has access to Bash, Write, Edit, Read, Glob, and Grep tools.
- Sanitization: Absent; the skill relies on instructional guidelines to the agent (e.g., advising against writing untrusted search results to the plan file) rather than programmatic sanitization.
- [COMMAND_EXECUTION]: The skill executes local scripts for task management and session initialization. This includes a Stop hook that runs check-complete.ps1 or check-complete.sh when the session ends. On Windows, the PowerShell script is executed with the -ExecutionPolicy Bypass flag.
- [COMMAND_EXECUTION]: The session-catchup.py script accesses local session history files stored in the ~/.claude/projects/ directory. It parses these .jsonl files to summarize previous interactions and recover context, which involves reading historical conversation logs stored on the local filesystem.
Audit Metadata