Planning with Files

Network discovery — enumerates network interfaces, connections, or routing tables

ss -Fil

The skill is granted access to the `Bash` tool, enabling arbitrary shell command execution. Additionally, the `Stop` hook and 'Restore Context' section execute external scripts (`.ps1`, `.sh`, `.py`) directly, with the PowerShell command using `ExecutionPolicy Bypass`, providing multiple vectors for arbitrary code execution.

allowed-tools: "Bash"; Stop hook: `powershell.exe ... || sh ...`; Restore Context: `$(command -v python3 || command -v python) ...session-catchup.py`

The skill has `Read`, `Write`, `Edit`, `Glob`, and `Grep` tool access, allowing for broad file system reconnaissance, modification of arbitrary files, and potential data exfiltration. This capability, especially when combined with prompt injection, enables an attacker to read sensitive files, alter system configurations, or exfiltrate data.

allowed-tools: "Read, Write, Edit, Glob, Grep"

The Stop hook executes external shell and PowerShell scripts from a plugin root directory. The path is partially user-controlled via CLAUDE_PLUGIN_ROOT environment variable. This enables arbitrary code execution from attacker-controlled script paths, and the PowerShell invocation uses -ExecutionPolicy Bypass, explicitly disabling security controls.

"SD=\"${CLAUDE_PLUGIN_ROOT:-$HOME/.claude/plugins/planning-with-files}/scripts\"; powershell.exe -NoProfile -ExecutionPolicy Bypass -File \"$SD/check-complete.ps1\" 2>/dev/null || sh \"$SD/check-complete.sh\""

The Stop hook explicitly invokes PowerShell with -ExecutionPolicy Bypass, circumventing the system's configured script execution policy. This is a well-known technique for running unsigned or restricted scripts while evading Windows security controls.

powershell.exe -NoProfile -ExecutionPolicy Bypass -File

The skill instructs the agent to execute a Python script (session-catchup.py) from the plugin directory, passing the current working directory as an argument. This script is not auditable from the skill content and could perform arbitrary operations including data exfiltration or reconnaissance.

$(command -v python3 || command -v python) ${CLAUDE_PLUGIN_ROOT}/scripts/session-catchup.py "$(pwd)"

Multiple commands construct file paths using the CLAUDE_PLUGIN_ROOT environment variable without sanitization. If this variable is attacker-controlled or manipulated, it could redirect script execution to arbitrary locations or enable path traversal attacks.

${CLAUDE_PLUGIN_ROOT:-$HOME/.claude/plugins/planning-with-files}/scripts and ${CLAUDE_PLUGIN_ROOT}/scripts/session-catchup.py

The skill design explicitly uses `task_plan.md` as a persistent memory, injecting its content into the agent's context before every user prompt and before every tool call. This creates a high-value target for indirect prompt injection, as acknowledged by the skill's 'Security Boundary' section, allowing an attacker to inject malicious instructions that are repeatedly executed.

UserPromptSubmit hook: `head -50 task_plan.md`; PreToolUse hook: `cat task_plan.md`; 'Security Boundary' section: 'Content written to task_plan.md is injected into context repeatedly'

The UserPromptSubmit hook automatically reads and injects task_plan.md content into the agent's context on every user message. Since task_plan.md is written from various sources including findings from web/search, this creates an amplified indirect prompt injection vector where malicious instructions in external content persist and are re-injected repeatedly.

hooks:\n  UserPromptSubmit:\n    - hooks:\n        - type: command\n          command: \"if [ -f task_plan.md ]; then echo '[planning-with-files] ACTIVE PLAN — current state:'; head -50 task_plan.md;

The PreToolUse hook reads task_plan.md before every Write, Edit, Bash, Read, Glob, or Grep tool call, injecting its contents into context. This means any malicious instructions embedded in task_plan.md are amplified on every tool use, significantly increasing the attack surface for indirect prompt injection.

PreToolUse:\n    - matcher: \"Write|Edit|Bash|Read|Glob|Grep\"\n      hooks:\n        - type: command\n          command: \"cat task_plan.md 2>/dev/null | head -30 || true\"

The skill explicitly documents that task_plan.md is a 'high-value target for indirect prompt injection' and that its PreToolUse hook repeatedly re-reads and injects file contents. While framed as a security warning, this also serves as precise documentation for an attacker on how to exploit the hook mechanism.

Content written to `task_plan.md` is injected into context repeatedly — making it a high-value target for indirect prompt injection.

The skill instructs the agent to continue autonomously through multi-phase plans with many tool calls without user confirmation checkpoints. Combined with session recovery, this creates a pattern of autonomous operation that could proceed without meaningful human oversight across sessions.

Use when asked to plan out, break down, or organize a multi-step project, research task, or any work requiring >5 tool calls. Supports automatic session recovery after /clear.