ClawHub
Back to skill
v2.35.0

Planning with files

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:53 AM.

Analysis

The skill’s planning-file workflow is mostly coherent, but it automatically reads local agent session histories and runs a helper script through broad, unpinned cache paths, which deserves careful review before installation.

GuidanceTreat this as a Review install. The core planning-file idea is understandable, but install only if you are comfortable with automatic hooks, local session-history recovery, and persistent project memory. In particular, review or disable the Stop hook’s plugin-cache script lookup and inspect/reset any existing task_plan.md, findings.md, and progress.md before letting the agent follow them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityHighConfidenceHighStatusConcern
SKILL.md
command: "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command \"& (Get-ChildItem -Path (Join-Path ~ '.claude/plugins/cache') -Filter check-complete.ps1 -Recurse -EA 0 | Select-Object -First 1).FullName\" 2>/dev/null || sh \"$(ls $HOME/.claude/plugins/cache/*/*/*/scripts/check-complete.sh 2>/dev/null | head -1)\" 2>/dev/null || true"

The automatic Stop hook executes a PowerShell or shell script found by recursively searching the shared plugin cache, rather than executing this skill’s reviewed script by a fixed path. The PowerShell branch also uses ExecutionPolicy Bypass and references check-complete.ps1, which is not present in the provided manifest.

User impactWhen a session stops, the skill may run a helper script selected from the plugin cache automatically. If the first matching file is not the intended reviewed helper, code outside this skill’s provided artifacts could run.
RecommendationOnly install after confirming the hook is changed to call the bundled helper by an exact path such as ${CLAUDE_PLUGIN_ROOT}/scripts/check-complete.sh, and avoid recursive cache searches or ExecutionPolicy Bypass for missing/unreviewed helpers.
Agent Goal Hijack
SeverityLowConfidenceHighStatusNote
SKILL.md
if [ -f task_plan.md ]; then echo '[planning-with-files] ACTIVE PLAN — current state:'; head -50 task_plan.md; ... echo '[planning-with-files] Read findings.md for research context. Continue from the current phase.'; fi

The skill intentionally injects project-local planning-file contents into the agent’s context and tells the agent to continue from that phase. This matches the planning purpose, but it makes those files influential instructions.

User impactA stale, checked-in, or untrusted task_plan.md or findings.md in a project could steer the agent’s next actions until the user reviews or replaces it.
RecommendationBefore using this skill in an existing or untrusted project, inspect task_plan.md, findings.md, and progress.md, and delete or reset any plan files you do not want the agent to follow.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusConcern
scripts/session-catchup.py
return Path.home() / '.claude' / 'projects' / sanitized
...
sessions_dir = Path(os.path.expanduser(os.getenv('CODEX_SESSIONS_DIR', '~/.codex/sessions')))
...
sessions = sorted(sessions_dir.rglob('rollout-*.jsonl'), key=safe_stat_mtime, reverse=True)
...
with open(session_file, 'r', encoding='utf-8', errors='replace') as f:

The recovery script locates Claude and Codex session-storage directories and reads JSONL session files. Those logs can contain prior conversation context, tool outputs, file paths, and other sensitive work history.

User impactThe skill can bring previous local agent-session content back into the current task. That helps recovery, but may also expose private prior context or reintroduce stale or poisoned instructions.
RecommendationReview what is stored in local Claude/Codex session logs before using recovery. Prefer a version that clearly discloses the directories read, limits recovery to the current project, excludes secrets and unrelated tool outputs, and asks before importing recovered context.