The Agent Skills Directory

[PROMPT_INJECTION]: Indirect Prompt Injection Surface
Ingestion points: The PreToolUse hook in SKILL.md automatically reads and injects the first 30 lines of task_plan.md into the agent's prompt before every tool call.
Boundary markers: The injected content is wrapped in ---BEGIN PLAN DATA--- and ---END PLAN DATA--- delimiters.
Capability inventory: The skill allows access to powerful tools including Write, Edit, Bash, Read, Glob, and Grep across all scripts.
Sanitization: No sanitization or validation is performed on the content of task_plan.md before it is injected into the context, allowing potentially malicious instructions from external sources (e.g., if copied into the plan by the agent) to influence subsequent actions.
[DATA_EXFILTRATION]: Session History Exposure
The scripts/session-catchup.py script is designed to access and read sensitive session history files stored in ~/.claude/projects/ and ~/.codex/sessions/.
It parses these JSONL conversation logs to find unsynced context and prints excerpts of up to 15 previous messages to the standard output. This exposes historical user conversation data to the active agent context during the session recovery process.
[COMMAND_EXECUTION]: Dynamic Script Discovery and Execution
The Stop hook in SKILL.md executes PowerShell and Bash commands that perform dynamic path resolution to locate its own completion scripts. It searches recursively through ~/.claude/plugins/cache and executes the first matching file found.
The PowerShell command uses -ExecutionPolicy RemoteSigned, which explicitly permits the execution of local scripts by bypassing the default system execution policies.

planning-with-files-zh