Skills
skills/tdimino/claude-code-minoan/planning-with-files/Gen Agent Trust Hub

planning-with-files

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The script scripts/session-catchup.py is designed to access and read files from ~/.claude/projects/. This directory contains the agent's internal session history and project logs. While intended for context recovery, this allows the skill to expose sensitive data from previous conversations.
  • [COMMAND_EXECUTION]: The skill uses Stop hooks and instruction-based triggers to execute shell scripts. These include init-session.sh/ps1, check-complete.sh/ps1, and session-catchup.py. PowerShell execution is performed using -ExecutionPolicy Bypass, which circumvents local security restrictions.
  • [PROMPT_INJECTION]: The 'Session Catchup' functionality creates an indirect prompt injection surface. It extracts content from previous session logs (.jsonl files) and injects them into the current context without sanitization.
  • Ingestion points: scripts/session-catchup.py reads session history files from the internal .claude/projects directory.
  • Boundary markers: No boundary markers or 'ignore' instructions are used when presenting the recovered context to the agent.
  • Capability inventory: The skill possesses extensive capabilities including Bash (shell execution), Write, and Edit (filesystem modification).
  • Sanitization: No sanitization or filtering of the extracted session content is performed before it is output.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 04:38 PM
Security Audit — agent-trust-hub — planning-with-files