ce-compound
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes dynamic context injection (!command syntax) within the SKILL.md file to execute
git rev-parseat load time. This is used for legitimate environment detection to resolve the current branch name.\n- [DATA_EXFILTRATION]: The skill dispatches a subagent to read private session history files from directories outside the project root, specifically~/.claude/projects/,~/.codex/sessions/, and~/.cursor/projects/. This information is summarized and incorporated into the project's internal documentation. This feature is gated by an explicit user consent prompt.\n- [COMMAND_EXECUTION]: The skill executes a local Python validation script (scripts/validate-frontmatter.py) to ensure the integrity of generated YAML frontmatter. The script is a vendor-provided tool that uses only the standard library for regex-based checks.\n- [PROMPT_INJECTION]: The 'Discoverability Check' involves modifying project instruction files (such asAGENTS.mdorCLAUDE.md) to influence the behavior of future agents. This persistent modification is designed to ensure future sessions are aware of the documentation store and is protected by a mandatory user confirmation step.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by processing untrusted data from multiple sources.\n - Ingestion points: Conversation history, user memory (MEMORY.md), and external session logs.\n
- Boundary markers: The skill employs clear markdown sectioning and tags external content (e.g., using
(session history)or(auto memory [claude])) to maintain provenance.\n - Capability inventory: The agent has the ability to write to documentation directories and edit project configuration files.\n
- Sanitization: Frontmatter validation is performed via a dedicated script to prevent common YAML injection or parsing corruption issues.
Audit Metadata