planning-with-files-zh
Pass
Audited by Gen Agent Trust Hub on May 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an automated context injection mechanism through lifecycle hooks (UserPromptSubmit, PreToolUse, PreCompact) that read contents from task_plan.md and progress.md and inject them into the agent's prompt. This represents an indirect prompt injection surface.
- Ingestion points: task_plan.md, progress.md, and findings.md are read in various hooks.
- Boundary markers: The skill proactively uses explicit markers (===BEGIN PLAN DATA=== / ===END PLAN DATA===) and provides instructions for the agent to treat the injected content as structured data only.
- Capability inventory: The agent has access to file system tools (Read, Write, Edit, Bash) which could be used if an injection were successful.
- Sanitization: The skill includes a sophisticated SHA256-based attestation mechanism (.plan-attestation) to detect and block execution if the plan files have been tampered with by external processes.
- [COMMAND_EXECUTION]: The skill uses lifecycle hooks to execute local maintenance scripts for checking task completion and initializing project files.
- Evidence: The Stop hook executes check-complete.sh or check-complete.ps1. The PreToolUse hook runs a shell script to verify file integrity and provide context.
- [COMMAND_EXECUTION]: A Python script (session-catchup.py) is provided to help the agent recover context from previous local session logs. This script reads history from standard agent storage directories (~/.claude/projects/ and ~/.codex/sessions/).
- Evidence: Instructions in SKILL.md guide the user to run the recovery script manually or via project-level automation.
Audit Metadata