planning-with-files
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's Stop hook contains logic to execute local scripts using
powershell -ExecutionPolicy Bypassandpwsh -ExecutionPolicy Bypass. This technique is used to override system-level execution policies that are intended to restrict the running of untrusted or unsigned scripts. - [COMMAND_EXECUTION]: The skill triggers the execution of various internal scripts, including
session-catchup.py,check-complete.sh, andcheck-complete.ps1, during its lifecycle hooks or through explicit documentation instructions. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it incorporates potentially untrusted data from the filesystem into the agent's context without proper isolation.
- Ingestion points: The
PreToolUsehook automatically reads the first 30 lines oftask_plan.mdwhenever core tools are used. The documentation also instructs the agent to readfindings.mdandtask_plan.mdto recover state. - Boundary markers: No delimiters, tags, or 'ignore instructions' warnings are used when the agent reads these files to distinguish between data and commands.
- Capability inventory: The skill allows the use of powerful tools including
Bash,Write,Edit,WebFetch, andWebSearch. - Sanitization: No mechanism is present to sanitize or validate content before it is written to the planning files or after it is read by the agent, allowing a malicious external source (via WebFetch) to inject instructions that the agent may later obey.
Recommendations
- AI detected serious security threats
Audit Metadata