extract
Warn
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to execute shell commands such as
grepandsedusing keywords provided by the user. If these keywords are not properly sanitized, an attacker could craft an injection payload (e.g., using semicolons or backticks) to execute arbitrary commands on the host machine. - [DATA_EXFILTRATION]: The skill accesses
$HOME/.claude/projects/, which contains sensitive memory and historical context for specific projects. By extracting and potentially sharing this information as 'portable skills', there is a risk of exposing private code, credentials, or proprietary information. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by processing untrusted data from project memory files to create new instructions.
- Ingestion points: Files in the
$HOME/.claude/projects/directory. - Boundary markers: None; the skill does not define delimiters to separate user data from instructions.
- Capability inventory: Subprocess execution via shell commands and the ability to spawn agents that write to the file system.
- Sanitization: The skill lacks any explicit sanitization or validation of the keywords or the retrieved content before using it to generate new executable SKILL.md files.
Audit Metadata