docs-seeker
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted external data (llms.txt files) and user queries to recommend "agent distribution strategies." This allows external content to potentially influence or hijack the agent's workflow and parallel execution decisions.
- Ingestion points: External
llms.txtcontent fromcontext7.comand raw<user query>strings. - Boundary markers: None present; data is interpolated directly into shell commands and processed by scripts.
- Capability inventory: Executes shell commands via
nodeandcatand directs agent distribution. - Sanitization: No evidence of sanitization or escaping for user-provided strings in shell execution.
- [Data Exposure] (HIGH): The skill's environment configuration documentation specifies loading
.envfiles from parent and global directories (e.g.,.claude/.env). This behavior allows the skill to access credentials and API keys stored at the system or application level. - [Command Execution] (HIGH): The skill's primary function is the execution of local Node.js scripts (
detect-topic.js,fetch-docs.js,analyze-llms-txt.js) using subprocess calls. These scripts are invoked with untrusted user input, increasing the risk of argument injection. - [Network Operations] (MEDIUM): The skill targets
context7.com, a non-whitelisted domain, to retrieve documentation. While the stated purpose is documentation discovery, the combination of network access and sensitive file access (.env) increases exfiltration risk.
Recommendations
- AI detected serious security threats
Audit Metadata