always-init
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Prompt Injection] (HIGH): The skill uses coercive override language and priority markers ("CRITICAL SYSTEM REQUIREMENT", "MUST be automatically invoked", "Priority Level: P0") designed to bypass the agent's standard task prioritization and force its own execution without exception.
- [Instruction Hijacking] (HIGH): The skill attempts to redefine the agent's internal request-handling logic ("if (userRequest) → invoke('always-init')") to ensure it intercepts every user interaction before any other operation can occur.
- [Data Exposure] (HIGH): The skill commands the reading of a specific sensitive file path:
~/.claude/skills/PAI/SKILL.md. According to the skill's own documentation, this file contains sensitive 'PAI' context including contacts, credential-handling protocols, and private technical stack preferences, leading to unauthorized exposure of sensitive local configuration data into the LLM context. - [Indirect Prompt Injection Surface] (LOW): By mandating the ingestion of an external file (
PAI/SKILL.md) into every conversation, the skill creates a permanent attack surface where any instructions placed in that file would gain persistent control over the agent's behavior. - Ingestion points:
~/.claude/skills/PAI/SKILL.md(read operation) - Boundary markers: Absent. The skill lacks delimiters or instructions to treat the loaded context as data rather than instructions.
- Capability inventory: File system read access via
readcommand. - Sanitization: Absent. No escaping or validation is performed on the content of the loaded context file.
Recommendations
- AI detected serious security threats
Audit Metadata