agent-development
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill documentation recommends using authoritative trigger phrases such as "MUST BE USED" and "Use PROACTIVELY" in agent descriptions. These patterns are designed to manipulate the AI's delegation logic and prioritize specific agents, which mirrors techniques used in prompt injection to override system behavior.
- [COMMAND_EXECUTION]: The skill provides instructions in SKILL.md and rules/agent-memory-limits.md to modify shell configuration files (~/.bashrc, ~/.zshrc) to set the NODE_OPTIONS environment variable. This is a persistence mechanism used to change the execution environment of the Node.js runtime.
- [DATA_EXFILTRATION]: In rules/custom-agent-instructions.md, the skill suggests a configuration for .claude/settings.json that allowlists WebFetch(domain:*). This bypasses security prompts for network requests to any domain, potentially allowing an agent to exfiltrate data to arbitrary external servers.
- [COMMAND_EXECUTION]: The same recommended allowlist in rules/custom-agent-instructions.md includes various Bash commands (e.g., cd, cp, mkdir, mv). Permitting these commands by default reduces the human-in-the-loop security model of Claude Code and grants automatic execution privileges.
- [PROMPT_INJECTION]: The plugin.json metadata description includes authoritative markers ("MUST BE USED", "Use PROACTIVELY") intended to influence the agent's internal task delegation mechanisms.
- [PROMPT_INJECTION]: The skill provides a framework for building agents with high-privilege capabilities (Bash, Write) that process untrusted data without specifying input sanitization or boundary markers, creating a surface for indirect prompt injection.
Audit Metadata