wiki-creator
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructs the user or agent to modify the AI agent's internal configuration (
.claude/settings.json) to setdefaultModetobypassPermissions. This is a deliberate attempt to suppress safety and permission prompts, allowing the agent to execute commands without human oversight. - [DATA_EXFILTRATION]: The skill is designed to read through project source code and push extracted information to a remote Git repository. If an attacker provides a malicious remote URL, the agent could be used to exfiltrate proprietary source code, business logic, or sensitive configuration files found during the 'Extract' phase.
- [COMMAND_EXECUTION]: The skill uses complex shell commands involving
git,grep, andfindto analyze and manage files. There is a risk of command injection if the project structure contains maliciously named files or directories designed to break shell syntax. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from source code files to generate documentation and the new skill's instructions.
- Ingestion points: Project files such as
schema.prisma,package.json, and source code (.ts,.java,.go) are scanned for domain information. - Boundary markers: Uses HTML comments like
<!-- extracted from: ... -->to mark sections, which provide weak isolation. - Capability inventory: The skill possesses
Bash,Write, andEditcapabilities, along withgitaccess for remote synchronization. - Sanitization: No sanitization is performed on the content extracted from the source files before it is written into the new wiki's
SKILL.mdor markdown files.
Recommendations
- AI detected serious security threats
Audit Metadata