extract
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a workflow step that executes a complex shell command using
grepand command substitution to search through local directories. - [DATA_EXFILTRATION]: The skill specifically targets and reads internal application data stored in
$HOME/.claude/projects/, exposing potentially sensitive development history, project logs, and private context to the agent. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by ingesting raw project memory and user descriptions to generate new instruction sets. Evidence Chain:
- Ingestion points: Project memory files and user-provided pattern descriptions (SKILL.md).
- Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the source material.
- Capability inventory: Includes shell command execution (grep) and file system write access for skill creation.
- Sanitization: The skill verifies formatting but lacks sanitization against malicious instructions embedded in the processed memory data.
Audit Metadata