command-creator
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted user input to generate agent instructions without sanitization or boundary markers. \n
- Ingestion points: Step 3 (Command information gathering) and Step 4 (Optimized command generation). \n
- Boundary markers: Absent; user input is directly interpolated into the command template. \n
- Capability inventory: The resulting commands can execute arbitrary shell tools via the agent's capabilities (e.g., devrun). \n
- Sanitization: Absent; no validation or escaping of user-provided instructions. \n- Persistence Mechanisms (HIGH): Creates persistent executable files in global and project-level directories, allowing instructions to survive across sessions and be triggered via slash commands. \n
- Evidence: Step 5 explicitly writes command files to ~/.claude/commands/ or .claude/commands/. \n- Command Execution (LOW): Performs environmental checks and directory setup using shell commands. \n
- Evidence: git rev-parse (Step 1) and mkdir -p (Step 5).
Recommendations
- AI detected serious security threats
Audit Metadata