docs-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): The /docs-claude command is instructed to parse .env files to identify environment variables. Accessing .env files is a high-risk behavior as they typically contain sensitive credentials, API keys, and secrets. Evidence: Found in commands/docs-claude.md under the scan project state section.
- External Downloads (LOW): The /docs-update command performs network requests via the npm view command to check for package version updates. This constitutes a network operation to a non-whitelisted external source (npm registry) in the context of generic skill execution. Evidence: Found in commands/docs-update.md under the check currency section.
- Command Execution (LOW): The skill relies on executing system commands like git log and git remote to gather project information and documentation dates. Evidence: Described in the process sections of commands/docs-init.md and commands/docs-update.md.
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from project files (package.json, documentation, and potentially attacker-controlled .env files) to generate its reports. This represents a vulnerability surface where malicious content could influence the agent's behavior. 1. Ingestion points: .env, package.json, CLAUDE.md, and files in the docs/ directory. 2. Boundary markers: Absent; there are no instructions to the agent to treat this content as untrusted or ignore embedded instructions. 3. Capability inventory: The agent has the ability to read/write files and execute git/npm commands. 4. Sanitization: No evidence of sanitization or escaping of external content is provided.
Recommendations
- AI detected serious security threats
Audit Metadata