Plugin Settings
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill documents a pattern that creates a surface for indirect prompt injection. \n
- Ingestion points: Data is read from
.claude/*.local.mdfiles located in the project root (SKILL.md, references/parsing-techniques.md). \n - Boundary markers: The implementation pattern does not define or suggest boundary markers or explicit instructions for the agent to ignore instructions embedded within the configuration files. \n
- Capability inventory: Extracted content from the files is used as a 'system message' or feedback 'reason', allowing external content to influence the agent's logic and next steps (references/parsing-techniques.md, references/real-world-examples.md). \n
- Sanitization: Although JSON construction is safely handled via
jq, no semantic validation or filtering of the markdown prompt content is implemented. \n- [COMMAND_EXECUTION]: Risk of command injection through terminal session interaction via tmux. \n - The
multi-agent-swarmimplementation example inreferences/real-world-examples.mdpasses data extracted from local configuration files directly totmux send-keys. \n - Maliciously modified configuration fields (such as
agent_nameorcoordinator_session) could trigger unintended command execution in target terminal sessions.
Audit Metadata