setperms
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill systematically disables safety prompts by adding a massive list of powerful CLI tools to the 'allow' list in
.claude/settings.local.json. - Pre-approved shells include
bashandpowershell, which allows for arbitrary code execution without user oversight. - Pre-approved package managers include
npm,pip,uv, andbrew, which can be used to install and run malicious software. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill pre-approves tools specifically designed for downloading external content, such as
curl,http(httpie), andfirecrawl. This bypasses the typical security checkpoints when an agent attempts to access the internet. - [DATA_EXFILTRATION] (MEDIUM): By granting silent access to network tools (
curl,http) and file system tools (cat,rg), the skill enables a high-risk path for data exfiltration. An agent influenced by a prompt injection could send sensitive project data to an external server without the user's knowledge. - [INDIRECT_PROMPT_INJECTION] (LOW): This configuration creates a highly exploitable environment. If the agent reads a file containing malicious instructions (e.g., in a README or a code comment), it can execute those instructions using the pre-approved tools without requesting permission, effectively bridging the gap from a low-privilege data read to a high-privilege system command.
Recommendations
- AI detected serious security threats
Audit Metadata