planning-with-files-zh

Pass

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill implements an automated context injection mechanism through lifecycle hooks (UserPromptSubmit, PreToolUse, PreCompact) that read contents from task_plan.md and progress.md and inject them into the agent's prompt. This represents an indirect prompt injection surface.
  • Ingestion points: task_plan.md, progress.md, and findings.md are read in various hooks.
  • Boundary markers: The skill proactively uses explicit markers (===BEGIN PLAN DATA=== / ===END PLAN DATA===) and provides instructions for the agent to treat the injected content as structured data only.
  • Capability inventory: The agent has access to file system tools (Read, Write, Edit, Bash) which could be used if an injection were successful.
  • Sanitization: The skill includes a sophisticated SHA256-based attestation mechanism (.plan-attestation) to detect and block execution if the plan files have been tampered with by external processes.
  • [COMMAND_EXECUTION]: The skill uses lifecycle hooks to execute local maintenance scripts for checking task completion and initializing project files.
  • Evidence: The Stop hook executes check-complete.sh or check-complete.ps1. The PreToolUse hook runs a shell script to verify file integrity and provide context.
  • [COMMAND_EXECUTION]: A Python script (session-catchup.py) is provided to help the agent recover context from previous local session logs. This script reads history from standard agent storage directories (~/.claude/projects/ and ~/.codex/sessions/).
  • Evidence: Instructions in SKILL.md guide the user to run the recovery script manually or via project-level automation.
Audit Metadata
Risk Level
SAFE
Analyzed
May 27, 2026, 08:34 AM
Security Audit — agent-trust-hub — planning-with-files-zh