Security Fix
This release addresses the Gen Agent Trust Hub FAIL and reduces the Snyk W011 risk score reported against planning-with-files.
Root Cause
The skill declared WebFetch and WebSearch in allowed-tools. Combined with the PreToolUse hook that auto-re-reads task_plan.md before every tool call, this created a toxic flow:
- Agent fetches untrusted web content
- Content is written to planning files
- Hook injects that content into context on every subsequent tool call — amplification
This is exactly the pattern that security scanners classify as indirect prompt injection + amplification.
What Changed
allowed-toolsupdated —WebFetchandWebSearchremoved from all 7 IDE variants (Claude Code, Cursor, Kilocode, CodeBuddy, Codex, OpenCode, Mastra Code). This skill is a planning and file-management tool; web access is not part of its core scope.- Security Boundary section added to
SKILL.md— explicit guidance that external content must go tofindings.mdonly, nevertask_plan.md, and all web-sourced content must be treated as untrusted. - Security note added to
examples.mdinline with the WebSearch example — reinforces the trust boundary at the point where users learn the pattern.
Impact
- Users can still use web search naturally in their workflow — the skill just no longer declares it as part of its own tool scope
- The planning workflow (3 files, hooks, session recovery) is unchanged
- All 16 IDE integrations updated
Files Changed
23 files — 7 SKILL.md variants + 14 examples.md variants + CHANGELOG + plugin.json