Planning with files
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent planning skill, but it automatically reuses local planning/session history and has a Stop hook that can execute an unpinned script from the plugin cache.
Review before installing. It appears intended for local planning, not data exfiltration, but you should only use it in trusted projects, inspect the hook commands, and be aware that it may read prior agent session logs and planning files. Consider disabling or modifying the session-catchup and Stop hook behavior if you do not want local session history or unpinned cache scripts used automatically.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If another matching file exists in the plugin cache, the agent could run unintended local code when stopping a task.
The automatic Stop hook executes a script found by recursively searching the plugin cache, including a PowerShell script not present in the manifest, instead of using a pinned path to this skill's own script.
Stop ... command: "powershell.exe ... Get-ChildItem -Path (Join-Path ~ '.claude/plugins/cache') -Filter check-complete.ps1 -Recurse ... || sh \"$(ls $HOME/.claude/plugins/cache/*/*/*/scripts/check-complete.sh ... | head -1)\""
Pin the hook to this skill's own ${CLAUDE_PLUGIN_ROOT}/scripts/check-complete.sh path, remove the missing PowerShell fallback or include the exact reviewed file, and avoid broad cache searches.
Prior conversation or tool history can be brought back into the current task, potentially exposing sensitive context or reintroducing stale/untrusted instructions.
The catch-up script reads local Claude/Codex session JSONL files from the user's home directory and parses prior messages, which may contain sensitive prompts, tool outputs, file paths, or secrets.
return Path.home() / '.claude' / 'projects' / sanitized ... sessions_dir = Path(os.path.expanduser(os.getenv('CODEX_SESSIONS_DIR', '~/.codex/sessions'))) ... parse_session_messages(session_file)Make session-history access explicit, ask before running catch-up, limit it to the current project/session, and avoid storing secrets in agent transcripts or planning files.
Anyone or anything that changes these project files can influence the agent's future decisions while the skill is active.
The skill intentionally treats project markdown files as persistent working memory and injects them into context before prompts/tools.
If `task_plan.md` exists, read `task_plan.md`, `progress.md`, and `findings.md` immediately ... PreToolUse ... command: "cat task_plan.md 2>/dev/null | head -30 || true"
Use this only in trusted workspaces, review task_plan.md/findings.md/progress.md before continuing, and remove suspicious instructions from those files.