setup
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill explicitly targets sensitive configuration files, specifically
.envfiles, to extractDATABASE_URLand other service patterns. This behavior constitutes data exposure by bringing environment secrets into the active agent context. - [COMMAND_EXECUTION]: The skill's workflow includes the execution of arbitrary project commands extracted from
package.jsonorMakefileand describes a dynamic background task system (Task()) for indexing and setup. It also implementsPreToolUsehooks that trigger logic based on file paths and content. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core function of processing untrusted repository data.
- Ingestion points: Repository structure scans, dependency file analysis (
package.json,go.mod), and documentation reading (README,docs/). - Boundary markers: There are no documented boundary markers or instructions to the agent to disregard instructions found within the files it is analyzing.
- Capability inventory: The agent can execute shell commands, record project memories, and initiate background sub-agent tasks.
- Sanitization: No evidence of sanitization or validation of the codebase content is present before it is used to generate project documentation or influence agent policy management.
- [PROMPT_INJECTION]: The use of 'Critical Rules' such as 'ALWAYS' and 'NEVER' in the generated
CLAUDE.mdis intended for project guidance but represents a mechanism where untrusted repo content could influence the agent's future behavioral constraints.
Audit Metadata