project-fix
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by consuming and acting upon the
FIX_MANIFESTblock within an externalaudit-report.mdfile. Maliciously crafted manifest items could influence the agent to perform unintended file operations or embed deceptive instructions into project documentation. - Ingestion points:
.claude/audit-report.md(specifically theFIX_MANIFESTsection). - Boundary markers: The skill looks for a specific YAML-like block within the markdown file.
- Capability inventory: The skill has the ability to create directories (
openspec/), create and modify project context files (CLAUDE.md,ai-context/*.md), and recursively delete local skill directories (.claude/skills/). - Sanitization: No explicit sanitization or validation of the manifest content is described beyond basic normalization and a compatibility policy for action types.
- [COMMAND_EXECUTION]: The skill performs automated file system operations including directory creation and the recursive deletion of skill subdirectories (
delete_duplicatehandler). Although these operations require user confirmation at each phase, they grant the skill significant control over the local.claude/environment based on external input.
Audit Metadata