planning-with-files-es

Warn

Audited by Gen Agent Trust Hub on May 22, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill implements a Stop hook in SKILL.md that executes shell and PowerShell commands to locate and run lifecycle scripts. It performs a recursive search (Get-ChildItem -Recurse) or uses wildcards (ls .../*/*/*/scripts/) within the ~/.claude/plugins/cache directory to find check-complete.ps1 or check-complete.sh. Executing files from paths resolved dynamically through filesystem searching is a security risk, as it could lead to the execution of unintended scripts if an attacker or another plugin places files in those shared locations.\n- [DATA_EXFILTRATION]: The scripts/session-catchup.py tool reads the user's conversation history stored in ~/.claude/projects/ and ~/.codex/sessions/. Although this data is processed locally to restore context, conversation logs are highly sensitive as they contain the full record of user interactions, which may include private data or credentials. Reading these logs represents a significant data exposure risk.\n- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface through its use of automation hooks. The PreToolUse hook in SKILL.md automatically reads task_plan.md and displays its contents to the agent before every tool call. If the agent is tricked into writing malicious instructions to the plan file (e.g., while processing untrusted external content), these instructions will be repeatedly re-injected into the context, potentially hijacking the agent's behavior for the remainder of the session.\n
  • Ingestion points: task_plan.md (read via PreToolUse hook), findings.md, progress.md (read during session catch-up).\n
  • Boundary markers: Absent. Plan data is displayed between simple text markers without instructions to ignore embedded commands.\n
  • Capability inventory: Bash, Write, Edit, Read, Glob, Grep are available to the agent.\n
  • Sanitization: Absent. The skill documentation warns about the risk but does not provide programmatic filtering of the content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 22, 2026, 02:05 AM
Security Audit — agent-trust-hub — planning-with-files-es