The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests data from local files (CLAUDE.md and user-specified context files in Step 2) and interpolates them directly into a planning prompt (Step 3) without boundary markers or instructions to ignore embedded instructions. This is particularly concerning given the skill's stated philosophy that the agent should execute the resulting output plan.
Ingestion points: CLAUDE.md, and files matching the user-provided context glob in Step 2.
Boundary markers: Absent; content is placed under markdown headers but no delimiters are used.
Capability inventory: Bash (file write, directory creation), and Gemini CLI (network communication).
Sanitization: Absent; file contents are read via cat and passed directly to the prompt.
[COMMAND_EXECUTION]: The skill is vulnerable to argument injection in the find command used in Step 2. The user-controlled --context argument is used in find . -path "$context_pattern" without adequate sanitization, allowing an attacker to inject additional find flags such as -exec to run arbitrary shell commands.
[COMMAND_EXECUTION]: The skill allows for arbitrary file write and directory creation. The --output argument is used in mkdir -p "$output_dir" and to define the target path for echo "$plan" > "$output_file" in Step 7. This can be exploited for path traversal or to overwrite sensitive files if the agent is directed to use a malicious output path.
[DATA_EXFILTRATION]: The skill contains a data exposure and exfiltration surface. The file-gathering logic in Step 2 can be directed via the --context flag to read sensitive local files (such as .env or credentials) and send their content (up to 500,000 characters) to the external Gemini API.

gemini-plan