init
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Vulnerability to indirect prompt injection through the processing of external web content.
- Ingestion points: Untrusted data enters the agent's context during 'Phase 2: Automatic Research' where the
WebFetchtool is used to scrape the homepage, about page, services page, and LinkedIn profile of a user-provided URL. - Boundary markers: There are no boundary markers or delimiters used in the prompt templates to separate the scraped web content from the system instructions, nor are there instructions for the agent to ignore embedded commands within the fetched data.
- Capability inventory: Across the scripts, the agent has the capability to write to the local filesystem (
/CLAUDE.md), create new client directories, copy project templates, and delete example folders. - Sanitization: No sanitization, validation, or escaping of the web content is performed before the data is interpolated into the research summary or the final
/CLAUDE.mdfile. - [COMMAND_EXECUTION]: The skill performs automated filesystem operations based on the data gathered during the initialization process.
- Evidence: Phase 4 and Phase 5 involve the dynamic creation of files and folders (
/clients/[client-name]/) and the replacement of content in the/CLAUDE.mdconfiguration file. - Evidence: Phase 6 requests permission to delete existing local directories (
_example-acme-widgets). - [EXTERNAL_DOWNLOADS]: The skill initiates multiple network requests to fetch data from external domains.
- Evidence: The workflow explicitly uses
WebFetchto gather information from various pages of a target website provided by the user.
Audit Metadata