skill-link
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions utilize shell-level logic such as 'ln -sfn' to create and force symlinks, and 'realpath' to resolve absolute paths. These operations directly modify the filesystem and the agent's environment configuration.
- [DATA_EXFILTRATION]: The skill explicitly targets sensitive application directories located at '$HOME/.claude' and '$HOME/.codex'. Modifying or linking into these paths can expose tool-specific configurations or enable the persistence of unauthorized extensions.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by scanning external directories and reading 'SKILL.md' files during the installation and health-check workflows.
- Ingestion points: User-specified source directories and contents of 'SKILL.md' files discovered during scanning.
- Boundary markers: No delimiters or instructions are implemented to ignore embedded malicious content within the scanned files.
- Capability inventory: File system linking, path resolution, and directory scanning.
- Sanitization: Mentions path quoting to handle spaces but lacks validation for the integrity or safety of the content within the linked files.
Audit Metadata