planning-with-files-zh

Pass

Audited by Gen Agent Trust Hub on Jun 22, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill implements an automated context-injection mechanism via a PreToolUse hook that reads the first 30 lines of task_plan.md before every tool call. This creates a surface for indirect prompt injection if malicious instructions from untrusted sources (e.g., web search results) are saved into that file.
  • Ingestion points: task_plan.md in the current project directory (accessed via PreToolUse hook).
  • Boundary markers: The SKILL.md includes a specific "Security boundaries" section advising the agent to treat external content as untrusted and to only store it in findings.md rather than the plan file.
  • Capability inventory: The skill allows access to Read, Write, Edit, Bash, Glob, and Grep tools.
  • Sanitization: There is no programmatic sanitization; the skill relies on the agent's adherence to the safety instructions provided in the markdown body.
  • [DATA_EXFILTRATION]: The scripts/session-catchup.py script is designed to access and analyze local session history files.
  • Evidence: The script reads files from ~/.claude/projects/ and ~/.codex/sessions/ to extract and summarize previous user and assistant messages for session recovery.
  • Context: This access is limited to the local file system for functional purposes (reconstructing context) and no network exfiltration was detected.
  • [COMMAND_EXECUTION]: The skill uses automation scripts (Bash, PowerShell, and Python) to manage the planning lifecycle.
  • Evidence: The Stop hook executes a search-and-run command for completion scripts using powershell.exe -ExecutionPolicy Bypass. The SKILL.md also instructs the agent to run the session-catchup.py script using system python.
  • Context: These operations are intended for local task automation and state synchronization within the project environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 22, 2026, 10:11 AM
Security Audit — agent-trust-hub — planning-with-files-zh