settings-management
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents and enables the configuration of
hooks.PreToolUse,statusLine, andfileSuggestionsettings in Claude Code, as well asnotifycommands in Codex CLI, all of which execute arbitrary shell commands. - [REMOTE_CODE_EXECUTION]: It details the
apiKeyHelpersetting which executes a specified script through/bin/sh, creating a vector for executing external code during agent authentication. - [PROMPT_INJECTION]: The skill provides instructions for the agent to modify its own core operational policies, such as
approval_policyandsandbox_mode, which could be exploited to bypass safety mechanisms or escalate privileges. - [DATA_EXFILTRATION]: The workflow involves reading and writing configuration files (e.g.,
~/.claude/settings.json) that typically contain sensitive environment variables and API tokens. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
- Ingestion points: Reads configuration from project-level files (
.claude/settings.json,.codex/config.toml) that may be controlled by external repository contributors. - Boundary markers: No boundary markers or safety instructions are provided to the agent when it reads and merges these external configuration files.
- Capability inventory: The skill utilizes file system access and documents multiple shell command execution pathways through various configuration settings.
- Sanitization: The workflow does not include validation or sanitization of configuration content before it is applied to the agent's runtime environment.
Audit Metadata