planning-with-files-de

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The 'Stop' hook defined in 'SKILL.md' uses a search-and-execute pattern. It executes a command that searches the entire '.claude/plugins/cache' directory for scripts named 'check-complete.ps1' (on Windows) or 'check-complete.sh' (on POSIX) and runs the first match found. This dynamic path resolution for executable code is insecure as it could execute unintended or malicious scripts if they are placed anywhere within the cache directory tree.
  • [PROMPT_INJECTION]: The 'session-catchup.py' script parses historical session logs ('.jsonl' files) from the user's home directory and prints previous user and assistant messages directly to standard output. The skill's instructions then direct the agent to 'update the planning files based on the recovery report.' This creates a mechanism for indirect prompt injection where malicious instructions from a previous session—potentially originally retrieved from an untrusted web source—are re-injected into the current session and incorporated into the agent's authoritative plan files.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface Analysis:
  • Ingestion points: 'session-catchup.py' reads raw conversation history from session logs in '/.claude/projects/' and '/.codex/sessions/'.
  • Boundary markers: Absent. The script echoes extracted text directly into the prompt without delimiters or 'ignore' instructions.
  • Capability inventory: The skill has access to 'Bash', 'Write', 'Edit', 'Read', 'Glob', and 'Grep' tools as defined in the 'allowed-tools' frontmatter.
  • Sanitization: Absent. There is no evidence of filtering, escaping, or validation of the content extracted from the session logs before it is presented to the agent.
  • [COMMAND_EXECUTION]: The 'SKILL.md' instructions guide the agent to execute 'session-catchup.py' using a shell command that passes the current working directory ('$(pwd)') as an argument. While the script uses the path for legitimate purposes, the execution of local Python scripts with directory-dependent arguments increases the risk of side effects if the environment is not strictly controlled.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 04:01 AM
Security Audit — agent-trust-hub — planning-with-files-de