The Agent Skills Directory

[COMMAND_EXECUTION]: The Stop hook in SKILL.md performs dynamic code execution by searching for and running scripts (check-complete.ps1 or check-complete.sh) within the ~/.claude/plugins/cache directory. This pattern of locating and executing files by name across a shared cache directory poses a risk of executing unintended or malicious scripts. Additionally, the PowerShell execution bypasses default policies using the RemoteSigned flag.- [PROMPT_INJECTION]: The skill is designed to automatically inject the contents of task_plan.md into the agent's context before every tool call via a PreToolUse hook. This creates a surface for indirect prompt injection where untrusted data written to the plan could influence subsequent agent actions.
Ingestion points: task_plan.md (read by PreToolUse hook in SKILL.md).
Boundary markers: Absent; the hook directly cats the file content into the prompt.
Capability inventory: The skill uses Bash, Write, Edit, and Read tools.
Sanitization: Absent; no validation or filtering is applied to the planning file content.- [DATA_EXFILTRATION]: The scripts/session-catchup.py script accesses and reads internal application session history from the ~/.claude/projects/ and ~/.codex/sessions/ directories. While this is used for local context restoration, it involves reading sensitive transcripts of previous user interactions from the file system.

planning-with-files-de