reviewing-claude-config
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's primary function is to provide security auditing checklists and patterns. It operates locally using restricted tools (
Read,Grep,Glob) to analyze configuration files likeCLAUDE.md,skill.md, andsettings.json. - [COMMAND_EXECUTION]: The skill includes a local utility script (
scripts/security-scan.sh) that users or agents can execute to find hardcoded credentials and broad permissions. Analysis of the script confirms it only performs localgrepandgitoperations and does not contain malicious logic or network exfiltration attempts. - [INDIRECT_PROMPT_INJECTION]: As an auditing tool, the skill naturally ingests untrusted configuration data for review. While this provides a surface for indirect prompt injection, the skill incorporates structured thinking (
<thinking>) blocks to maintain reasoning integrity and uses a restricted set of tools that limits the impact of potential injections.
Audit Metadata