ck-help
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill executes a local Python script using the command
python .claude/scripts/ck-help.py "$ARGUMENTS". User-controlled input in$ARGUMENTSis interpolated directly into a shell string without explicit sanitization or escaping instructions. An attacker could use shell metacharacters (e.g.,;,&&,|,$(...)) to execute arbitrary system commands. - PROMPT_INJECTION (MEDIUM): The instructions include strong imperative constraints such as "Never replace or summarize script output" and "Always show fully". These directives are designed to override the agent's default summarization and safety behaviors, forcing it to act as a transparent pipe for potentially malicious script output.
- INDIRECT_PROMPT_INJECTION (HIGH): The agent's presentation logic is gated by type markers (e.g.,
@CK_OUTPUT_TYPE:comprehensive-docs) produced by an external script. Since the script's behavior depends on user input and its source code is not provided for review, an attacker could potentially influence the script's output to include malicious markers or instructions that the agent is then pre-programmed to trust and execute. - UNVERIFIABLE_DEPENDENCY (MEDIUM): The skill relies on a local script located at
.claude/scripts/ck-help.py. This script is not part of the provided skill files, making its behavior unverifiable and potentially dangerous if it performs network operations or accesses sensitive files based on the$ARGUMENTSit receives.
Recommendations
- AI detected serious security threats
Audit Metadata