Is planning-with-files safe?

The PreToolUse hook fires on Write, Edit, Bash, Read, Glob, and Grep — nearly every tool the agent uses. Each invocation runs 'cat task_plan.md | head -30', injecting the skill's planning state into the agent's context before every action. This is an intentional attention manipulation technique (documented in reference.md as 'Manipulate Attention Through Recitation') that effectively controls what the agent thinks about before each decision.

The session-catchup.py script reads Claude Code session files (~/.claude/projects//*.jsonl) which contain full conversation transcripts including user messages, assistant responses, tool inputs/outputs, and potentially sensitive data from prior sessions. It outputs up to 15 messages (user: 300 chars, assistant: 600 chars each) into the current session context. While designed for workflow continuity, this creates a cross-session data bridge that could be weaponized.

After every Write or Edit operation, the PostToolUse hook outputs '[planning-with-files] File updated. If this completes a phase, update task_plan.md status.' This is a behavioral directive that steers the agent to update the skill's tracking files after every file modification, regardless of whether the user's task involves the planning workflow.

The Stop hook automatically runs check-complete.sh every time the agent conversation ends. While the script is benign (only reads task_plan.md and outputs status), the automatic execution pattern means users have shell commands running without per-invocation consent. The Windows path uses '-ExecutionPolicy Bypass' to circumvent PowerShell security.

The Stop hook explicitly uses 'pwsh -ExecutionPolicy Bypass' and 'powershell -ExecutionPolicy Bypass' to run check-complete.ps1, circumventing Windows PowerShell security policies. While used for a benign script, this pattern normalizes security policy bypass.

The skill explicitly instructs the agent not to use TodoWrite ('Don't: Use TodoWrite for persistence → Do: Create task_plan.md file') and replaces it with its own file-based tracking. It also instructs the agent to run its scripts before starting any work, effectively taking over the agent's workflow.

The skill declares WebFetch and WebSearch as allowed tools. While the current skill content doesn't instruct data exfiltration, having these tools available means a modified version could instruct the agent to send session data or file contents to external endpoints.

The PreToolUse and PostToolUse hooks fire on common tools (Read, Write, Edit, Bash, Glob, Grep) that other skills also use. When multiple skills are installed, this skill's hooks will inject planning context into every other skill's operations, potentially confusing the agent or leaking context between skills.

reference.md documents sophisticated context engineering techniques including KV-cache manipulation, attention hijacking via recitation, and logit masking strategies. While educational, this provides a ready-made blueprint for building more aggressive prompt injection skills.

No suspicious activity during clone/install. Only standard Node.js JIT cache files in /tmp/jiti/. No network connections, no unexpected processes, no filesystem changes outside skill directory.