health
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted data from the project environment and tool outputs into the agent's context, creating a surface for indirect prompt injection.
- Ingestion points: The skill reads project files like
package.jsonandCLAUDE.md, and captures the last 50 lines of stdout/stderr from every executed health tool (tsc, biome, pytest, etc.). - Boundary markers: While the dashboard output is structured, the skill lacks explicit delimiters or instructions to ignore instructions embedded within the ingested tool outputs.
- Capability inventory: The skill has extensive capabilities including file system modification (
Write,Edit), directory traversal (Glob,Grep), and arbitrary command execution (Bash). - Sanitization: No sanitization or filtering is performed on tool outputs or project file content before they are presented to the agent.
- [COMMAND_EXECUTION]: The skill dynamically identifies and executes commands found in the local project environment. It parses the
testscript frompackage.jsonand tools listed inCLAUDE.md's## Health Stacksection and executes them via the shell. This allows a project's configuration to dictate commands executed by the agent. - [DATA_EXFILTRATION]: The skill includes telemetry and memory synchronization features. While these are opt-in and gated by user prompts, the telemetry implementation collects the repository's base name (
basename "$(git rev-parse --show-toplevel)") despite user-facing text stating that no repository names are shared.
Audit Metadata