handlebar-rule-generation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is vulnerable to indirect prompt injection via the
.claude/.handlebar/agent-config.jsonfile. - Ingestion points: Data is read from
.claude/.handlebar/agent-config.json, which contains tool names, purposes, categories, and agent intent that may originate from untrusted sources (e.g., third-party tool schemas). - Boundary markers: No explicit delimiters or 'ignore instructions' warnings are used when interpolating this configuration data into the rule generation prompt.
- Capability inventory: The skill can write files (
.claude/.handlebar/rules.json) and execute shell commands (curlvia subprocess) to interact with external APIs. - Sanitization: No sanitization or schema validation is performed on the input configuration before it is used to generate rules or CLI commands.
- Data Exfiltration (LOW): The skill performs network operations to
https://api.gethandlebar.com/v1/rules. While aligned with the stated purpose, this domain is not on the trusted whitelist, and the skill transmits configuration summaries and generated rules externally. - Command Execution (LOW): The skill instructs the agent to execute a
curlcommand using the shell. While intended for rule upload, this pattern provides a vector for command injection if the generated file content or environment variables are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata