plugin-settings
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The example script
agent-stop-notification.sh(embedded inreferences/real-world-examples.md) is vulnerable to command injection via unsanitized file input. \n - Evidence: The script reads variables like
AGENT_NAMEandTASK_NUMBERfrom.claude/multi-agent-swarm.local.mdand passes them directly totmux send-keys -t "$COORDINATOR_SESSION" "$NOTIFICATION" Enter. \n - Risk: Because these fields are extracted from a local file without sanitization, an attacker who can influence the settings file could inject shell commands. When the script sends the 'Enter' key to the tmux session, the injected commands would execute in the context of the terminal running in that session. \n- PROMPT_INJECTION (LOW): The
ralph-wiggumexample inreferences/real-world-examples.mdintroduces a significant indirect prompt injection surface. \n - Ingestion points:
.claude/ralph-loop.local.md(read byhooks/stop-hook.shinreferences/real-world-examples.md). \n - Boundary markers: None present; the file body is read directly into the prompt. \n
- Capability inventory: Session loop control and prompt re-injection via the
blockdecision in the stop hook. \n - Sanitization: None; the script extracts the markdown body and uses it as the 'reason' for blocking, which the agent treats as its next instructions. \n
- Risk: This represents an autonomous loop (Category 8b) where the agent's behavior is driven by the content of a local file that could be poisoned by external data. \n- SAFE (INFO): The primary utility scripts,
parse-frontmatter.shandvalidate-settings.sh, follow security best practices by using atomic file operations and standard parsing tools likesedandawkwithout resorting to dangerous functions likeeval.
Audit Metadata