planning-with-files-ar
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a
Stophook inSKILL.mdto automatically execute shell and PowerShell commands when the agent session terminates. These commands attempt to find and execute scripts (check-complete.ps1orcheck-complete.sh) by searching through the~/.claude/plugins/cachedirectory using wildcards (*/*/*/scripts/). This dynamic execution of scripts from a shared cache directory via a broad search pattern is a security risk as it could potentially execute unauthorized scripts if they are placed in the cache path. - [PROMPT_INJECTION]: The
PreToolUsehook inSKILL.mdis configured to automatically read and inject the first 30 lines oftask_plan.mdinto the agent's context before every tool call (Read, Write, Edit, Bash, Glob, Grep). This creates a persistent indirect prompt injection surface: - Ingestion points: The agent is instructed to write findings and plans to
task_plan.md,findings.md, andprogress.md(SKILL.md). - Boundary markers: The injected data is wrapped in
---BEGIN PLAN DATA---and---END PLAN DATA---tags, which provide some separation but may not prevent adversarial instructions. - Capability inventory: The skill has access to powerful tools including
Bash,Write, andEdit(SKILL.md). - Sanitization: There is no sanitization or validation of the content in
task_plan.mdbefore it is injected into the prompt. If the agent records untrusted data (e.g., from a website or external file) into the plan, that data will be automatically re-injected into subsequent tool calls, potentially hijacking the agent's behavior. - [COMMAND_EXECUTION]: The
session-catchup.pyscript and theStop/PreCompacthooks perform extensive file system operations, including reading platform-specific session history from~/.claude/projects/and~/.codex/sessions/. While intended for context recovery, this involves the automated parsing of internal platform metadata.
Audit Metadata