skill-manager
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is configured to access sensitive local configuration files, specifically
~/.claude/settings.json, which may contain authentication tokens and private environment settings. - [DATA_EXFILTRATION]: Data retrieved from local inventories (including agent definitions and business context files) is intended to be processed and used as input for external tools like
WebSearchandmcp__apify__search-actors, potentially leaking details of the user's private ecosystem to third-party services. - [COMMAND_EXECUTION]: The skill utilizes shell-based tools including
Bash(ls)andGrepto perform recursive scans and content searches across the file system, which exposes a command execution surface. - [PROMPT_INJECTION]: The skill is highly susceptible to Indirect Prompt Injection because its primary function involves reading and interpreting content from a wide array of untrusted external files.
- Ingestion points:
~/.claude/agents/*.md,~/.claude/skills/*/SKILL.md,~/.claude/plugins/cache/, and project-level.claude/skills/directories. - Boundary markers: None identified in the skill instructions to prevent the agent from obeying instructions embedded within the audited files.
- Capability inventory: Access to
Bash,Read,Grep,WebSearch, andAgent(Explore)tools provides a broad range of actions that could be subverted by a malicious skill being audited. - Sanitization: No explicit sanitization or validation of the content read from external markdown files is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata