claude-md-master
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [Data Exposure] (INFO): The skill is designed to scan project configuration files, including
.env.example,Dockerfile, and CI/CD scripts. While these files often contain sensitive templates, the skill has an explicit core rule: "Never include secrets, tokens, credentials, or user data." - [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from the repository (source code, READMEs, and build logs) to determine project conventions. This presents a theoretical surface for indirect prompt injection if a codebase contains malicious comments intended to influence the generated documentation. This is mitigated by the required user review and approval process before files are written.
- [File System Access] (INFO): The skill performs recursive directory scanning and targeted file reads. This behavior is documented and necessary for its primary function of identifying the project's technology stack and module structure.
- [External References] (INFO): The skill references multiple local markdown files (e.g.,
references/android.md) for stack-specific patterns. These are internal to the skill's distribution and do not involve remote downloads or external execution.
Audit Metadata