marketplace-dev
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/post_edit_sync_check.shis vulnerable to command injection. It extracts a directory name from the local file system and interpolates it directly into a Python command string using shell variable substitution (skill_name = '$SKILL_NAME'). An attacker who can influence directory names within a repository could execute arbitrary Python code when this script is triggered by a file edit. - [COMMAND_EXECUTION]: The script
scripts/post_edit_validate.shuses a directory path derived from tool input to execute a shell command (cd "$MARKETPLACE_DIR") without sufficient validation or escaping. This allows for potential command injection if the input path contains shell metacharacters such as semicolons or backticks. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data processing workflow. * Ingestion points: The skill reads metadata and descriptions from untrusted
SKILL.mdfiles located within the target repository path provided by the user. * Boundary markers: Absent; the skill instructions explicitly mandate using the EXACT text from thedescriptionfrontmatter field without adding delimiters or security warnings. * Capability inventory: The skill has the ability to write files (marketplace.json) and execute system commands (claude plugin,find,git). * Sanitization: Absent; descriptions are copied verbatim from external files and interpolated into themarketplace.jsonmanifest, creating a surface where malicious instructions could influence downstream agents or users processing the marketplace catalog.
Audit Metadata