smart-loader
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to inspect the local filesystem (
ls ~/.claude-context-optimizer/templates/) and runs a local Node.js script (tracker.js). - [COMMAND_EXECUTION]: The skill constructs a shell command using dynamic input:
node ${CLAUDE_PLUGIN_ROOT}/src/tracker.js suggest "$(pwd)". Passing the current working directory via shell interpolation ($(pwd)) is a dynamic command generation pattern that could be exploited if the directory name contains shell metacharacters. - [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection by ingesting untrusted data (user-provided task descriptions) to influence which files are suggested for loading.
- Ingestion points: User's task description (processed in SKILL.md).
- Boundary markers: None explicitly defined for isolating the task description input.
- Capability inventory: Shell command execution (
ls,node). - Sanitization: The skill includes a manual safety check ("Do NOT automatically read files without user confirmation"), which mitigates the risk but does not eliminate the injection surface.
Audit Metadata