meta
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill directly interpolates raw user input into a Claude Code session without any sanitization or boundary markers, allowing attackers to bypass intended constraints.
- Indirect Prompt Injection (HIGH): (1) Ingestion points: Raw user text from Telegram. (2) Boundary markers: Absent in the implementation description. (3) Capability inventory: The skill uses ClaudeCodeService with full read/write access to the bot project directory (~/ai_projects/telegram_agent). (4) Sanitization: None described.
- Remote Code Execution (HIGH): By design, this skill provides a mechanism to modify and potentially execute code within the project's working directory, which can be abused to run arbitrary scripts on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata