Skills
AGENT LAB: SKILLS
skills/feiskyer/claude-code-settings/autonomous-skill/Gen Agent Trust Hub

autonomous-skill

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (MEDIUM): The skill uses bash templates that directly interpolate user-controlled variables (e.g., $USER_TASK, $USER_TASK_DESCRIPTION) into shell pipelines and CLI tool calls.
  • Evidence: TASK_NAME=$(echo "$USER_TASK" | ...) in Step 1 and claude -p "Task: $USER_TASK_DESCRIPTION ..." in Step 3.
  • Risk: If the agent executes these templates verbatim, an attacker can provide input containing shell metacharacters (e.g., backticks, $()) or CLI flags (e.g., --append-system-prompt) to hijack the execution environment or the spawned agent's behavior.
  • [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface.
  • Ingestion points: task_list.md and progress.md in the .autonomous/ directory, which are generated from user-provided descriptions.
  • Boundary markers: Absent. The executor-prompt.md instructions tell the agent to "trust the order" and "read the task list to see all work" without warning the agent that the content is untrusted.
  • Capability inventory: The skill grants broad Bash access, including the ability to run the claude CLI, as well as Write and Edit tools.
  • Sanitization: None detected. User input is transformed into task names using basic sed filters, but the body of the task descriptions is placed directly into executable context in subsequent agent sessions.
  • [PROMPT_INJECTION] (MEDIUM): Potential for Prompt Leakage and Behavior Overriding. The skill uses the --append-system-prompt flag with user-influenced data, which is a high-risk pattern that can be used to override the core instructions of the secondary agent session.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:27 PM