Skills
skills/defrex/claude-code-permission-policy/permission-policy/Gen Agent Trust Hub

permission-policy

Pass

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill's automated approval mechanism is vulnerable to indirect prompt injection, where malicious input in a tool request could trick the evaluator into granting unauthorized access.
  • Ingestion points: The hook script permission-policy.ts ingests untrusted data from tool inputs (input.tool_input) and the project-level policy file (.claude/PERMISSION_POLICY.md).
  • Boundary markers: The prompt template uses basic text headers and dashes as separators, which are insufficient to prevent an attacker from escaping the data context to provide instructions to the model.
  • Capability inventory: The evaluation result determines whether the agent can execute Bash commands, Write files, or perform WebFetch operations without human intervention.
  • Sanitization: Tool inputs are stringified and interpolated directly into the evaluation prompt without any escaping or filtering of potential injection sequences.
  • [COMMAND_EXECUTION]: The skill establishes persistent command execution by registering a hook in the project's configuration.
  • The skill modifies .claude/settings.json to automatically execute bun .claude/hooks/permission-policy.ts whenever specific tools are invoked.
  • The hook script itself spawns a subprocess to call the claude CLI for policy evaluation.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 5, 2026, 01:16 AM