planning-foundation
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill manages the lifecycle of its persistent planning state by instructing the agent to execute multiple shell scripts (e.g., init-writing-dir.sh, snapshot-save.sh, aggregate-agent-findings.sh) located within the plugin's root directory at ${CLAUDE_PLUGIN_ROOT}/scripts/. These scripts are used for routine operational tasks such as directory initialization, status checking, and archiving.
- [PROMPT_INJECTION]: The skill is designed to ingest and act upon data from local markdown files (.writing/plan.md, etc.) which constitutes an indirect prompt injection surface. However, the associated 'Review-Loop Protocol' includes defensive logic to treat this external content strictly as data during review phases to prevent embedded instructions from hijacking the agent's behavior.
- Ingestion points: Reads from project-local files including .writing/plan.md, .writing/design.md, and .writing/findings.md.
- Boundary markers: Standard operations use instructional context; the 'Review-Loop Protocol' provides an optional 'Phase-separated pre-commitment' strategy to isolate data from instructions.
- Capability inventory: Shell command execution via bash, file system read/write access, and coordination of various superpower-writing sub-agents.
- Sanitization: Relies on behavioral instructions to enforce the separation of data and control during analysis.
Audit Metadata