The Agent Skills Directory

[PROMPT_INJECTION]: The skill automatically injects the contents of user-controlled planning files (task_plan.md, progress.md) into the agent's context via UserPromptSubmit and PreToolUse hooks. This creates an indirect prompt injection surface as these files are designed to be updated during tasks and could ingest malicious instructions from external sources (e.g., web search results stored in findings.md).
Ingestion points: SKILL.md (hooks), task_plan.md, progress.md, findings.md (read and displayed by hooks).
Boundary markers: Injected content is wrapped in ---BEGIN PLAN DATA--- and ---END PLAN DATA--- delimiters.
Capability inventory: The skill possesses the ability to modify files and execute shell commands through the Write, Edit, and Bash tools.
Sanitization: The skill provides an opt-in hash attestation mechanism (/plan-attest) that allows the user to lock the plan's content with a SHA-256 hash. Hooks verify this hash before injection and block the process if the file has been modified without re-attestation.
[DATA_EXFILTRATION]: The session-catchup.py script accesses sensitive local session history data stored in the user's home directory (e.g., ~/.claude/projects/, ~/.codex/sessions/, and ~/.local/share/opencode/opencode.db). It extracts summaries of tool calls and text content from previous sessions and prints them into the current session's context to facilitate context recovery. This behavior exposes historical activity and potentially sensitive data from past tasks to the current agent.
[COMMAND_EXECUTION]: The skill's hooks and management scripts perform shell operations to initialize sessions and verify task completion. The Stop hook dynamically resolves paths for the check-complete script and executes it using sh or powershell.exe. The init-session.sh script also utilizes standard shell utilities for slugification and directory management.

planning-with-files