Skills
skills/arman-kudaibergenov/1c-ai-development-kit/1c-project-init/Gen Agent Trust Hub

1c-project-init

Fail

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's primary function involves running complex PowerShell scripts (init.ps1, edt-import.ps1) that execute local commands and manage remote server state using SSH and Docker.
  • [REMOTE_CODE_EXECUTION]: The scripts extensively use SSH to connect to remote infrastructure (YOUR_EDT_SERVER, YOUR_GITEA_SERVER) as the root user. They execute administrative commands like systemctl and docker exec, and run remote shell scripts (e.g., /opt/start-bsl-lsp.sh).
  • [EXTERNAL_DOWNLOADS]: The mcp.json.template file configures the playwright MCP server using npx @playwright/mcp@latest. This command fetches and executes the most recent version of the package from the NPM registry at runtime without version pinning.
  • [CREDENTIALS_UNSAFE]: Multiple files contain hardcoded placeholders and patterns for sensitive credentials. init.ps1 includes logic to embed a password directly into a Git remote URL (http://admin:YOUR_GITEA_PASSWORD@...), and edt-import.ps1 contains a hardcoded variable for a database password ($DB_PWD).
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its ingestion of user-controlled project names and paths.
  • Ingestion points: The target-path argument and multiple interactive inputs (Project name, 1C base name) used throughout the setup process.
  • Boundary markers: None. User-provided strings are directly interpolated into file system paths, template placeholders, and shell command arguments.
  • Capability inventory: The skill has broad capabilities including file read/write access and the ability to execute PowerShell and SSH commands with high privileges.
  • Sanitization: The Validate-LatinName function in edt-import.ps1 provides only rudimentary character validation, which is insufficient to prevent sophisticated path traversal or command injection attacks.
  • [COMMAND_EXECUTION]: The init.ps1 script automatically generates a .claude/settings.json file that whitelists Bash(powershell *). This programmatically lowers the security sandbox for any project initialized by this skill.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 4, 2026, 10:34 AM