plugin-settings
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The
agent-stop-notification.shscript inreferences/real-world-examples.mdextracts fields from.claude/multi-agent-swarm.local.mdand uses them in atmux send-keyscommand. Since the keys are sent to a target session, an attacker who can modify the settings file can inject arbitrary shell commands that will be executed by the shell in the coordinator's tmux session. - PROMPT_INJECTION (LOW): The
ralph-looppattern facilitates indirect prompt injection by using file content as agent instructions. - Ingestion points:
.claude/ralph-loop.local.mdbody. - Boundary markers: Absent. The
hooks/stop-hook.shscript extracts the entire markdown body as thereasonfor the agent's next action. - Capability inventory: Influences agent state via
jqoutput. - Sanitization: Absent.
- DATA_EXFILTRATION (SAFE): The example hook
read-settings-hook.shincludes preventative checks for path traversal and sensitive file access.
Recommendations
- AI detected serious security threats
Audit Metadata