cache-audit
Fail
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill directs the agent to execute shell commands such as
git status --porcelain | wc -candwc -cto measure file sizes and state. - [COMMAND_EXECUTION]: Instructions explicitly mandate that the agent "Run ALL 8 checks automatically" and "Do NOT ask for confirmation," which bypasses the standard human-in-the-loop security model for command execution.
- [CREDENTIALS_UNSAFE]: The skill accesses highly sensitive global configuration files including
~/.claude/settings.jsonand~/.claude.json. These files often contain plaintext API keys, environment variables for Model Context Protocol (MCP) servers, and session tokens. - [CREDENTIALS_UNSAFE]: The skill reads project memory files (
MEMORY.md), which may contain sensitive context or proprietary information from previous development sessions. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads and processes instructions from project-level files like
$PROJECT/CLAUDE.mdand$PROJECT/.claude/rules/*.md. - [PROMPT_INJECTION]: Mandatory Evidence Chain for Category 8: 1. Ingestion points:
$PROJECT/CLAUDE.md,$PROJECT/.claude/rules/*.md, and project-specificMEMORY.md. 2. Boundary markers: No delimiters or 'ignore' instructions are used when reading these files. 3. Capability inventory: The skill utilizes file reading (cat,ls) and shell execution (bash). 4. Sanitization: There is no evidence of sanitization or validation of the content read from the project files before it is processed by the LLM.
Recommendations
- AI detected serious security threats
Audit Metadata