claude-code-pm
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill leverages the 'claude' CLI with the '--dangerously-skip-permissions' flag within 'scripts/delegate.sh'. This configuration allows the background session to execute commands and modify the file system autonomously, bypassing the standard interactive permission checks.
- [EXTERNAL_DOWNLOADS]: The skill documentation and setup scripts reference the use of 'npx skills add' to install functional extensions. It fetches these from the vendor's own repository 'cyberelf/agent_skills' and from the trusted organization 'vercel-labs/agent-skills'.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted data to guide autonomous high-privilege actions. 1. Ingestion points: The 'scripts/delegate.sh' script instructs the sub-agent to read and follow requirements from 'requirements.md', which is derived from user input. 2. Boundary markers: No explicit delimiters or security markers are used in the prompt to isolate the requirements data from the sub-agent's primary instructions. 3. Capability inventory: The background agent operates with significant capabilities, including arbitrary file writes and command execution, granted by the skip-permissions flag. 4. Sanitization: There is no evidence of sanitization or validation of the requirements file content before processing.
Audit Metadata