planning-foundation

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill manages the lifecycle of its persistent planning state by instructing the agent to execute multiple shell scripts (e.g., init-writing-dir.sh, snapshot-save.sh, aggregate-agent-findings.sh) located within the plugin's root directory at ${CLAUDE_PLUGIN_ROOT}/scripts/. These scripts are used for routine operational tasks such as directory initialization, status checking, and archiving.
  • [PROMPT_INJECTION]: The skill is designed to ingest and act upon data from local markdown files (.writing/plan.md, etc.) which constitutes an indirect prompt injection surface. However, the associated 'Review-Loop Protocol' includes defensive logic to treat this external content strictly as data during review phases to prevent embedded instructions from hijacking the agent's behavior.
  • Ingestion points: Reads from project-local files including .writing/plan.md, .writing/design.md, and .writing/findings.md.
  • Boundary markers: Standard operations use instructional context; the 'Review-Loop Protocol' provides an optional 'Phase-separated pre-commitment' strategy to isolate data from instructions.
  • Capability inventory: Shell command execution via bash, file system read/write access, and coordination of various superpower-writing sub-agents.
  • Sanitization: Relies on behavioral instructions to enforce the separation of data and control during analysis.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 05:55 PM
Security Audit — agent-trust-hub — planning-foundation