search-first
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructs the agent to read platform configuration files (
~/.claude/settings.json) and the local skills directory (~/.claude/skills/). While intended to discover existing tools and prevent duplication, these files can contain sensitive environment metadata and configuration settings. - [EXTERNAL_DOWNLOADS]: The workflow explicitly promotes searching for and installing third-party packages from public registries (npm, PyPI) and GitHub. This behavior facilitates the introduction of unvetted external code into the local development environment, posing a supply chain risk.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its reliance on untrusted external data sources during the research phase.
- Ingestion points: The agent processes search results, repository descriptions, and documentation from npm, PyPI, GitHub, and general web queries.
- Boundary markers: No specific delimiters or "ignore instructions" directives are provided in the subagent task prompt template to isolate untrusted data from the agent's instructions.
- Capability inventory: The workflow leads directly to package installations (
npm install,pip install) and the configuration of MCP servers based on information retrieved from the web. - Sanitization: There is no mechanism described for validating or sanitizing external content before it is used to inform the agent's decisions in the "Decision Matrix."
Audit Metadata