planning-with-files
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- DATA_EXFILTRATION (MEDIUM): The 'session-catchup.py' script accesses internal application data at '~/.claude/projects/'. This directory contains sensitive conversation history and session logs. While used for session recovery, it exposes historical data that may have been intentionally cleared to the current agent context.
- PROMPT_INJECTION (MEDIUM): The skill documentation explicitly facilitates bypassing the platform's '/clear' command. By reading previous session logs from disk, it restores context that the platform's safety and privacy controls are designed to purge.
- PROMPT_INJECTION (MEDIUM): The metadata contains deceptive and future-dated claims (e.g., corporate acquisition in December 2025) and fabricated documentation links to establish false authority and influence agent behavior.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection. Evidence Chain: (1) Ingestion points: 'task_plan.md' and 'findings.md' are frequently read as 'memory' files. (2) Boundary markers: Absent. (3) Capability inventory: 'Bash', 'Write', 'Edit', 'WebFetch', and 'WebSearch' are all available to the skill. (4) Sanitization: Absent; no validation or escaping is performed on contents read from these files.
- COMMAND_EXECUTION (LOW): The skill uses 'powershell -ExecutionPolicy Bypass' to execute internal verification scripts, bypassing host-level security policies.
Audit Metadata