Skills
skills/christian289/dotnet-with-claudecode/customizing-controltemplate/Gen Agent Trust Hub

customizing-controltemplate

Warn

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The C# TemplateHelper.CreateTemplate method utilizes XamlReader.Load to dynamically instantiate objects from a provided string.
  • Evidence: The CreateTemplate(string xaml) method in SKILL.md converts a UTF-8 string into a MemoryStream and passes it directly to XamlReader.Load(stream, context).
  • Risk: XAML parsing is functionally equivalent to code execution; maliciously crafted XAML can use features like ObjectDataProvider to invoke arbitrary system methods or launch external processes when the XAML is loaded.
  • [COMMAND_EXECUTION]: The skill introduces a significant vulnerability surface for indirect injection or data-driven attacks through its helper logic.
  • Ingestion points: The xaml parameter in the TemplateHelper.CreateTemplate method (File: SKILL.md).
  • Boundary markers: None identified; the method processes the raw string input without delimiters or warnings to ignore embedded instructions.
  • Capability inventory: The skill enables dynamic .NET object instantiation which can be escalated to shell execution or system manipulation via XAML injection techniques.
  • Sanitization: None; the implementation lacks validation, XML schema enforcement, or sanitization to prevent the use of high-risk XAML elements.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 28, 2026, 11:31 AM