Superpower with Files
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate coding workflow skill, but it can automatically run hook scripts and read prior AI session logs, so it should be reviewed before enabling.
Install only if you are comfortable with persistent project memory files, possible reading of prior local AI session history, and automatic hook scripts. Before enabling it, inspect the installed hook paths, consider disabling session-catchup if not needed, avoid putting secrets in chat or planning files, and manually approve git/PR/destructive operations.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these hooks are active, local scripts may run automatically at session stop; if the referenced files differ from the reviewed package or are tampered with, unexpected code could execute.
The skill defines an automatic Stop hook that runs shell/PowerShell scripts from a plugin scripts directory. The provided manifest shows hook scripts, but not the referenced scripts/check-complete.ps1 path, creating an auto-execution/provenance mismatch.
command: "SD=\"${CLAUDE_PLUGIN_ROOT:-$HOME/.claude/plugins/planning-with-files}/scripts\"; powershell.exe -NoProfile -ExecutionPolicy Bypass -File \"$SD/check-complete.ps1\" 2>/dev/null || sh \"$SD/check-complete.sh\""Inspect or disable hooks before use, verify the exact scripts installed at the referenced paths, and avoid enabling automatic PowerShell/shell hooks unless you trust the local files.
Private information from earlier AI sessions for the project could be reintroduced into the current session, including secrets if they were previously pasted into chat.
The catch-up helper reads local AI IDE session storage and collects prior conversation content. That fits the session-recovery purpose, but it can expose sensitive past prompts or tool outputs to the current agent context.
finds the most recent planning file update across ALL sessions, then collects all conversation from that point forward ... Supports multiple AI IDEs: - Claude Code (.claude/projects/) - OpenCode (.local/share/opencode/storage/)
Use session catch-up only in trusted projects, review its output before relying on it, and avoid storing secrets in AI chat or planning files.
Bad or untrusted instructions accidentally saved into task_plan.md could repeatedly steer the agent.
The artifact explicitly acknowledges that persistent plan files repeatedly influence the agent. It also provides mitigation guidance, so this is disclosed and purpose-aligned, but still important.
This skill uses a PreToolUse hook to re-read `task_plan.md` before every tool call. Content written to `task_plan.md` is injected into context repeatedly — making it a high-value target for indirect prompt injection.
Keep untrusted web/search content out of task_plan.md, review memory files periodically, and store external findings separately as the skill recommends.
If approved, the agent can publish code changes or delete local branch/worktree state.
The workflow includes high-impact git and GitHub actions, including pushing branches, creating PRs, deleting branches, and removing worktrees. The same artifact requires options and confirmation for discard, so this is disclosed and scoped.
git push -u origin <feature-branch> ... gh pr create ... git branch -D <feature-branch> ... git worktree remove <worktree-path>
Review the chosen completion option and commands before approving merges, PR creation, branch deletion, or worktree cleanup.