planning-with-files-es
Warn
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a
Stophook inSKILL.mdthat executes shell and PowerShell commands to locate and run lifecycle scripts. It performs a recursive search (Get-ChildItem -Recurse) or uses wildcards (ls .../*/*/*/scripts/) within the~/.claude/plugins/cachedirectory to findcheck-complete.ps1orcheck-complete.sh. Executing files from paths resolved dynamically through filesystem searching is a security risk, as it could lead to the execution of unintended scripts if an attacker or another plugin places files in those shared locations.\n- [DATA_EXFILTRATION]: Thescripts/session-catchup.pytool reads the user's conversation history stored in~/.claude/projects/and~/.codex/sessions/. Although this data is processed locally to restore context, conversation logs are highly sensitive as they contain the full record of user interactions, which may include private data or credentials. Reading these logs represents a significant data exposure risk.\n- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface through its use of automation hooks. ThePreToolUsehook inSKILL.mdautomatically readstask_plan.mdand displays its contents to the agent before every tool call. If the agent is tricked into writing malicious instructions to the plan file (e.g., while processing untrusted external content), these instructions will be repeatedly re-injected into the context, potentially hijacking the agent's behavior for the remainder of the session.\n - Ingestion points:
task_plan.md(read via PreToolUse hook),findings.md,progress.md(read during session catch-up).\n - Boundary markers: Absent. Plan data is displayed between simple text markers without instructions to ignore embedded commands.\n
- Capability inventory:
Bash,Write,Edit,Read,Glob,Grepare available to the agent.\n - Sanitization: Absent. The skill documentation warns about the risk but does not provide programmatic filtering of the content.
Audit Metadata