scaffold-workshop
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script located at
.claude/tools/scaffold_workshop.pyusing theuvtool. It interpolates user-provided arguments (directory name, title, and description) into a shell command. While these are wrapped in double quotes, there is a theoretical risk of command injection if the underlying shell environment incorrectly handles specific metacharacters inside the input strings. - [EXTERNAL_DOWNLOADS]: The skill uses
WebSearchandWebFetchto retrieve information from external sources, specifically targeting AWS documentation and SDK references. While the intended targets are trusted/well-known services, these tools can technically access any URL returned by a search engine. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from the web and uses it to generate executable code (
clean_resources.py) and documentation. - Ingestion points: Data returned by
WebSearchandWebFetchtools (SKILL.md, Step 3). - Boundary markers: None explicitly implemented to isolate web-fetched content from the agent's instructions.
- Capability inventory: The skill possesses
Write,Edit, andBashtools, allowing it to commit the drafted content and code to the local filesystem. - Sanitization: No sanitization or validation is performed on the content retrieved from the web before it is used to replace TODO markers in templates.
Audit Metadata