Skills
skills/bfly123/claude_code_bridge/file-op/Gen Agent Trust Hub

file-op

Fail

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs a shell command by interpolating user-controlled $ARGUMENTS directly into a string passed to the Bash tool.
  • Evidence: The execution logic in references/usage.md uses Bash(CCB_CALLER=claude ask codex "... $ARGUMENTS", ...).
  • Risk: An attacker can provide input containing shell metacharacters (e.g., backticks, semicolons, or pipe characters) to execute arbitrary commands on the host system.
  • [REMOTE_CODE_EXECUTION]: The skill delegates 'all repo-changing work' to external entities (Codex and OpenCode) without verifying the integrity or origin of the instructions these tools might execute.
  • Evidence: Instructions in references/usage.md explicitly permit OpenCode to 'perform ALL repo-changing work (edits + mutating commands)'.
  • [DATA_EXFILTRATION]: The skill accesses local configuration files and exposes the entire repository's file system to external sub-agents.
  • Evidence: The skill reads ~/.claude/skills/docs/protocol.md and .autoflow/roles.json to determine execution routing.
  • Evidence: The protocol is designed to delegate 'all repo file I/O' to the FileOpsREQ service.
  • [PROMPT_INJECTION]: The skill contains instructions designed to bypass the primary agent's oversight by commanding the sub-agent to ignore passed constraints.
  • Evidence: references/usage.md contains the instruction: 'Do NOT rely on Claude passing constraints.executor. You MUST read roles config yourself'. This overrides the intended control hierarchy of the AI agent.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its ingestion of untrusted local data and lack of sanitization.
  • Ingestion points: Processes $ARGUMENTS from the caller and .autoflow/roles.json from the repository.
  • Boundary markers: Absent; user input is concatenated directly into the instruction string for Codex.
  • Capability inventory: Has full Bash execution, file-read, and file-write capabilities through the FileOpsREQ protocol.
  • Sanitization: None detected. The skill only validates that input is JSON but does not sanitize content for shell or prompt injection.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 8, 2026, 06:11 AM