compound
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted conversation data to generate documentation and potentially modify other skill configurations. Ingestion points: Data is extracted from the conversation history in Step 2 of SKILL.md. Boundary markers: None are explicitly used when interpolating untrusted content into Markdown templates. Capability inventory: The skill uses Bash and Write tools to manage files in the knowledge/ directory and .claude/skills/ path. Sanitization: Step 4 implements filename sanitization (lowercase, hyphenation, special character removal), and Step 5 performs schema validation against schema.yaml.
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to perform directory creation and searching. Step 3 constructs search patterns using data extracted from the conversation before the formal validation gate in Step 5. This presents a surface for command injection if the underlying tool execution does not properly escape shell characters in the domain or tags fields.
Audit Metadata