My Claude Code Skill Got Flagged by a Security Scanner. Here's What I Found and Fixed.

planning-with-files is a Claude Code skill built on the Manus context-engineering pattern: three persistent markdown files ( task_plan.md , findings.md , progress.md ) as the agent's working memory on disk. A PreToolUse hook re-reads task_plan.md before every tool call, keeping goals in the agent's attention window throughout long sessions. A security audit flagged it. I looked into it properly. The actual vulnerability The skill declared WebFetch and WebSearch in allowed-tools . That's the surface issue. The real issue is deeper. The PreToolUse hook re-reads task_plan.md before every single tool call — that's what makes the skill work. It keeps the agent's goal in its attention window throughout a long session. Manus Principle 4: recitation as attention manipulation. But it also means anything written to task_plan.md gets injected into context on every subsequent tool use. Indefinitely. The flow: WebSearch(untrusted site) → content lands in task_plan.md → hook injects it before next t