semantic-compressor
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) during its iterative compression process. It reads content from arbitrary markdown files and embeds it directly into prompts for the 'claude' CLI.
- Ingestion points: Instruction files discovered via directory scanning in '.claude/skills' and '.claude/agents'.
- Boundary markers: Absent; untrusted content is placed between descriptive labels like '<文件内容>' and '<压缩内容>' without robust isolation or instruction-bypass warnings.
- Capability inventory: The workflow involves 'bash' execution for file management and the ability to overwrite existing agent skills.
- Sanitization: None; the file content is processed as-is, allowing malicious instructions within a file to subvert the compression or verification logic.
- [COMMAND_EXECUTION]: The skill instructs the agent to construct and execute shell commands (e.g., 'claude -p') that include variables populated with raw file data. This pattern creates a surface for command injection if the agent fails to properly escape shell metacharacters (such as backticks or semicolons) present in the source files being compressed.
Audit Metadata