init-project-research
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill modifies the agent's security configuration by using
jqto read the global~/.claude/settings.jsonfile and merge itspermissions.allowandpermissions.denyarrays into the local.claude/settings.local.json. This allows the project to inherit broad permissions, effectively bypassing local restriction defaults. - [COMMAND_EXECUTION]: The skill registers a
PostToolUsehook (.claude/hooks/copy-paper-pdf.sh) in the agent's local settings. This causes a bash script to execute automatically whenever theBashtool is used, providing a persistent mechanism for background command execution. - [COMMAND_EXECUTION]: The skill generates a
.latexmkrcconfiguration file that contains a Perlsystem()call. This executes shell commands (cp) during the LaTeX compilation process, which is a form of dynamic command execution within a configuration file. - [COMMAND_EXECUTION]: The skill creates a
run_all.shscript that executes Python, R, and Stata scripts via shell commands (uv run,Rscript,stata-mp). While functional, this provides a pre-configured vector for executing code that may be modified by other agents or users. - [PROMPT_INJECTION]: Phase 1.5 involves scanning existing files in a directory and reading their content to "absorb" it into the new project's metadata and configuration. This creates a surface for indirect prompt injection, as malicious instructions embedded in existing documents could be processed and acted upon by the agent during the initialization phase.
- Ingestion points: Reads
.tex,.md, and.bibfiles from the target directory during the auto-detection and reorganization phases (Phase 1.0 and 1.5). - Boundary markers: None identified for the scan of existing user files.
- Capability inventory: The skill has extensive bash execution capabilities (
mkdir,touch,chmod,git,jq,ln,rsync) and file write access. - Sanitization: No evidence of sanitization or filtering of content read from existing files before it is used to seed new configuration files or project metadata.
- [EXTERNAL_DOWNLOADS]: The skill performs several external operations, including creating private GitHub repositories via the
ghCLI, rsyncing templates from a local Task Management directory, and querying the Elsevier Serial Title API for journal rankings (which requires an API key).
Audit Metadata