env-setup
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded sensitive credentials found in configuration files:
config/mcp_config.json: Contains a hardcoded Upstash Context7 API key (ctx7sk-d78a61e2-9647-4224-9c8b-f5a679e04741).config/settings.json: Contains a hardcoded Anthropic-compatible authentication token (0b00b813538c416fbb08ea849a4d231a.wAZH2t1Vjt9fP9zQ) used with thehttps://open.bigmodel.cn/api/anthropicendpoint.- [PROMPT_INJECTION]: The skill creates a major vulnerability for 'Indirect Prompt Injection'. It is designed to synchronize and overwrite the agent's global instructions (
CLAUDE.md) and persona definitions (output-styles) from a user-specified remote GitHub repository. A malicious repository could use this to persistently hijack the agent's behavior or disable safety constraints. - Ingestion points: External GitHub repository cloned during setup (referenced in
SKILL.md). - Boundary markers: None. The sync script directly overwrites existing behavior files without validation.
- Capability inventory:
scripts/sync_env.pyhas the ability to write to~/.claude/CLAUDE.md,~/.claude/output-styles/, and~/.claude.json. - Sanitization: None. Data from the remote source is copied directly into the local environment.
- [COMMAND_EXECUTION]: The skill includes Python scripts (
sync_env.py,backup_env.py,restore_env.py) that perform extensive file system operations, including recursive directory removal and file overwriting in sensitive application paths. - [EXTERNAL_DOWNLOADS]: The skill instructions and configuration files encourage cloning external code and installing multiple third-party MCP servers via
npxfrom public registries, which can lead to the execution of unverified code.
Recommendations
- AI detected serious security threats
Audit Metadata