popsicle
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands to perform repository analysis, manage git operations, and spawn sub-agent sessions via the
claudeCLI. These commands involve dynamic interpolation of data extracted from the repository, which could lead to command injection if malicious strings are present in the analyzed codebase.\n- [DATA_EXFILTRATION]: The skill is instructed to scan sensitive files, including environment variables, feature flags, and deployment configurations. While it does not transmit this data to an external server, it extracts and stores the information in temporary files in the/tmpdirectory, increasing the risk of local data exposure.\n- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it ingests untrusted data from the repository and uses it to generate prompts for secondary agent sessions.\n - Ingestion points: The skill reads repository source code, documentation files (CLAUDE.md, README.md, etc.), and configuration files.\n
- Boundary markers: The prompts for validation sessions include instructions to "Use ONLY the documentation" and "Do not read source code", which act as soft boundaries.\n
- Capability inventory: The skill is granted broad capabilities via the
Bash,Read, andWritetools.\n - Sanitization: There is no explicit sanitization or escaping of the repository-derived content before it is used in prompts or shell commands.
Audit Metadata