ce-compound
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs local command execution to automate documentation tasks. It runs a bundled Python script (scripts/validate-frontmatter.py) using python3 to validate generated YAML frontmatter. It also utilizes git and the GitHub CLI (gh) to gather repository and issue information. Additionally, the skill uses dynamic context injection (!command) in its SKILL.md to run git rev-parse at load time for environment detection.
- [DATA_EXFILTRATION]: The skill features a 'Full' research mode that dispatches the ce-session-historian subagent. This component is designed to access session history files located in the user's home directory (e.g., ~/.claude/projects/), facilitating cross-project data exposure. This access is explicitly documented and requires user confirmation.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted external data.
- Ingestion points: The skill reads data from current conversation history, existing documentation in the docs/solutions/ directory, and historical session files.
- Boundary markers: Instructions suggest keeping subagent dispatch prompts 'tight' to control the context window.
- Capability inventory: The orchestrator can write files to the repository (docs/solutions/), modify project instruction files (AGENTS.md, CLAUDE.md), and execute shell-based tools (python3, git, gh).
- Sanitization: A Python-based validator is used to check YAML syntax and prevent parser-level exploits in the generated documentation.
Audit Metadata