plugin-settings
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill architecture allows .local.md files to influence agent behavior through instruction fields and loop-back prompts. Findings follow the Category 8 evidence chain:\n
- Ingestion points: .claude/*.local.md files parsed in hook scripts and state files used by the 'ralph-wiggum' pattern.\n
- Boundary markers: Frontmatter is delimited by ---, but markdown bodies (used as prompt text) lack isolation or instructions for the agent to ignore embedded commands.\n
- Capability inventory: Includes file writing, interactive questions, session blocking, and tmux session interaction.\n
- Sanitization: documentation in examples/create-settings-command.md explicitly instructs agents to sanitize free-text and validate inputs.\n- COMMAND_EXECUTION (LOW): Documented patterns include using tmux to send notifications to other terminal sessions.\n
- Evidence: references/real-world-examples.md (lines 78-82) demonstrates the use of 'tmux send-keys' with variables extracted from local files.\n
- Context: While bash variables are quoted to mitigate direct shell injection, the send-keys command inherently allows executing instructions in the target session if the message content is influenced by untrusted data.
Audit Metadata