peacock-colors
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the 'jq' command-line tool to process and merge JSON data in VS Code settings files.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it reads configuration values from the workspace. * Ingestion points: The skill reads the 'peacock.color' field from '.vscode/settings.json' and entries from '~/.claude/.peacock-favorites.json'. * Boundary markers: Absent; there are no explicit instructions to the agent to ignore or delimit potentially malicious text within these files. * Capability inventory: The agent has the ability to execute 'jq' commands and perform file write operations to both local project directories and the user's home directory. * Sanitization: The skill does not define specific validation or escaping mechanisms for the data retrieved from the configuration files before it is processed or presented to the user.
Audit Metadata