The Agent Skills Directory

[PROMPT_INJECTION]: The skill uses automated hooks to inject file content into the agent's prompt context. The PreToolUse hook in SKILL.md runs cat task_plan.md, placing the file's content directly into the context before every tool invocation. This represents a significant surface for Indirect Prompt Injection if the file contains data from untrusted sources.
Ingestion points: task_plan.md, findings.md, and progress.md (located in the project directory) are used to store project data and are read by the agent or injected via hooks.
Boundary markers: The hook uses ---BEGIN PLAN DATA--- and ---END PLAN DATA--- as delimiters.
Capability inventory: The skill allows Read, Write, Edit, Bash, Glob, and Grep tools, providing high-privilege interaction with the local filesystem.
Sanitization: There is no evidence of sanitization or instruction filtering for the content injected from task_plan.md into the active prompt context.
[COMMAND_EXECUTION]: The Stop hook in SKILL.md performs a recursive search in the ~/.claude/plugins/cache directory to find and execute files named check-complete.ps1 or check-complete.sh. Executing files found dynamically through filesystem traversal poses a security risk if an attacker can influence the contents of the cache directory.
[DATA_EXPOSURE]: The script scripts/session-catchup.py reads session metadata and conversation history from ~/.claude/projects/ and ~/.codex/sessions. While intended for context restoration, this script processes sensitive conversation logs and outputs them back into the active session.

planning-with-files-zht