setup
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is vulnerable to indirect injection (Category 8) through user-provided input. In Step 4, the user's name is placed directly into a shell command:
sed -i '' 's/{{YOUR_NAME}}/用户名字/g' CLAUDE.md.\n - Ingestion points: User input for 'User Name' in Step 3 as defined in
SKILL.md.\n - Boundary markers: Absent. No delimiters or instructions to ignore embedded commands are present within the interpolation logic.\n
- Capability inventory: Execution of bash scripts with file write permissions (via
cpandsed) across theSKILL.mdinstruction set.\n - Sanitization: Absent. There is no logic to escape shell metacharacters or sed delimiters, allowing a user to potentially execute arbitrary commands or corrupt files by providing a specially crafted name (e.g., including
;,`, or$()).\n- [Command Execution] (HIGH): The skill utilizes local bash commands to perform file system modifications. While functionally intended for initialization, the practice of interpolating unvalidated user input into these commands poses a significant security risk.
Recommendations
- AI detected serious security threats
Audit Metadata