Skills
skills/camacho/ai-skills/sync-dotfiles/Gen Agent Trust Hub

sync-dotfiles

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script uses git, jq, awk, and python3 to manage and merge configuration files.
  • [REMOTE_CODE_EXECUTION]: The skill invokes npx skills add to install packages from the author's GitHub repository (camacho/ai-skills).
  • [EXTERNAL_DOWNLOADS]: The script clones a repository from GitHub (https://github.com/camacho/ai-env.git) if a local directory is not specified.
  • [COMMAND_EXECUTION]: Execution of an embedded Python script via a heredoc is used for merging TOML configuration files.
  • [COMMAND_EXECUTION]: The script automatically grants execution permissions to synchronized shell scripts using chmod +x.
  • [PROMPT_INJECTION]: The skill processes configuration files that may contain instructions, creating a vulnerability surface for indirect prompt injection.
  • Ingestion points: Data enters the agent's context through the reading of ~/.claude/CLAUDE.md and other synchronized files.
  • Boundary markers: Data is processed without delimiters to distinguish it from system instructions.
  • Capability inventory: The skill has the ability to execute shell commands, perform network operations, and modify the file system.
  • Sanitization: Ingested configuration data is integrated into the system without filtering or validation.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 02:15 PM