The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill features an automated mechanism in SKILL.md that reads the first 30 lines of 'task_plan.md' into the agent's context before every 'Write', 'Edit', or 'Bash' tool call via a PreToolUse hook.
Ingestion points: Planning files (task_plan.md, findings.md, progress.md) are populated by the agent using data retrieved from external tools like WebSearch and WebFetch.
Boundary markers: No delimiters or safety warnings are used when the PreToolUse hook injects file content into the prompt, making it difficult for the agent to distinguish between its own previous plan and injected instructions.
Capability inventory: The skill is authorized to use high-privilege tools including Bash, Write, Edit, and network access tools.
Sanitization: There is no sanitization of the content written to or read from these planning files. This allows malicious instructions from untrusted external sources (e.g., a website the agent browses) to be persisted on disk and subsequently re-injected into the agent's decision-making context.
Command Execution (SAFE): The skill utilizes local shell scripts (scripts/init-session.sh, scripts/check-complete.sh) to manage the session. Analysis of these scripts shows they perform standard file operations and string matching without dangerous dynamic evaluation of untrusted input.

planning-with-files