claude-skill
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to operate the Claude Code CLI in a "headless" mode, prioritizing automation over user safety. It sets
--permission-mode acceptEditsas the default, which allows the AI to modify any file in the codebase without seeking user confirmation. - [COMMAND_EXECUTION]: The documentation includes instructions for the
bypassPermissionsmode, which skips all safety prompts for both file system modifications and arbitrary shell command execution. The skill notes this should only be used in sandboxed environments, but its inclusion as a documented feature for the agent to use increases the risk of accidental or malicious misuse. - [PROMPT_INJECTION]: The skill's "Core Principles" contain instructions that attempt to override the AI's standard safety guidelines regarding user consent. Phrases like "Execute tasks from start to finish without seeking approval for each action" and "Make confident decisions... without seeking confirmation" are explicit directives to ignore typical interaction guardrails.
- [EXTERNAL_DOWNLOADS]: The skill guides the user to download and install the
@anthropic-ai/claude-codepackage from the official npm registry. While this is from a trusted organization, it establishes the execution environment for the high-risk behaviors identified. - [REMOTE_CODE_EXECUTION]: By wrapping the
claude -pcommand, the skill enables the execution of arbitrary instructions passed as strings. These instructions are carried out by a sub-agent with full access to the file system and shell tools, effectively creating a path for remote code execution if the input prompt originates from an untrusted source. - [PROMPT_INJECTION]: The skill exposes a significant surface for indirect prompt injection attacks.
- Ingestion points: Data enters the agent's context through user-provided prompts, file content read from the disk, and external command outputs like
gh pr diffused in examples. - Boundary markers: No boundary markers or delimiters are defined to separate instructions from the data being processed.
- Capability inventory: The agent is granted extensive capabilities, including reading, writing, and editing files, and executing bash commands.
- Sanitization: There is no evidence of sanitization or validation of the data before it is passed to the CLI tool's processing engine.
Recommendations
- AI detected serious security threats
Audit Metadata