skill-developer
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The framework utilizes local script execution (Bash and TypeScript via tsx) to implement hooks for prompt modification and tool gating. This behavior is documented as the primary mechanism for skill activation and is appropriate for the skill's stated purpose.\n- [EXTERNAL_DOWNLOADS]: The documentation suggests using npx and npm install to manage dependencies from the public npm registry, which is a whitelisted and well-known service.\n- [PROMPT_INJECTION]: The UserPromptSubmit hook architecture introduces an indirect prompt injection surface by interpolating user-provided prompts into logic that injects context into the session.\n
- Ingestion points: User prompt input via stdin in .claude/hooks/skill-activation-prompt.ts.\n
- Boundary markers: The skill uses visual banners to separate injected context but does not implement explicit delimiters or warnings to ignore instructions within the user prompt.\n
- Capability inventory: The framework supports subprocess execution (npx tsx) and file system access for session tracking.\n
- Sanitization: No documented sanitization or escaping of the user prompt before regex processing or context injection.
Audit Metadata