planning-with-files-ar

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses a Stop hook in SKILL.md to automatically execute shell and PowerShell commands when the agent session terminates. These commands attempt to find and execute scripts (check-complete.ps1 or check-complete.sh) by searching through the ~/.claude/plugins/cache directory using wildcards (*/*/*/scripts/). This dynamic execution of scripts from a shared cache directory via a broad search pattern is a security risk as it could potentially execute unauthorized scripts if they are placed in the cache path.
  • [PROMPT_INJECTION]: The PreToolUse hook in SKILL.md is configured to automatically read and inject the first 30 lines of task_plan.md into the agent's context before every tool call (Read, Write, Edit, Bash, Glob, Grep). This creates a persistent indirect prompt injection surface:
  • Ingestion points: The agent is instructed to write findings and plans to task_plan.md, findings.md, and progress.md (SKILL.md).
  • Boundary markers: The injected data is wrapped in ---BEGIN PLAN DATA--- and ---END PLAN DATA--- tags, which provide some separation but may not prevent adversarial instructions.
  • Capability inventory: The skill has access to powerful tools including Bash, Write, and Edit (SKILL.md).
  • Sanitization: There is no sanitization or validation of the content in task_plan.md before it is injected into the prompt. If the agent records untrusted data (e.g., from a website or external file) into the plan, that data will be automatically re-injected into subsequent tool calls, potentially hijacking the agent's behavior.
  • [COMMAND_EXECUTION]: The session-catchup.py script and the Stop/PreCompact hooks perform extensive file system operations, including reading platform-specific session history from ~/.claude/projects/ and ~/.codex/sessions/. While intended for context recovery, this involves the automated parsing of internal platform metadata.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 04:01 AM
Security Audit — agent-trust-hub — planning-with-files-ar