french-tutor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted text from users for translation and correction as documented in
SKILL.md. 1. Ingestion points: Input received via translation and correction triggers. 2. Boundary markers: Absent; there are no delimiters or instructions to isolate user content. 3. Capability inventory: The agent can execute shell commands (python ...) and write to the filesystem (state.json). 4. Sanitization: Absent; the skill does not escape user input before use. An attacker could embed instructions in the French text to hijack the session. - [COMMAND_EXECUTION] (HIGH): The skill executes
python ~/.claude/skills/mochi-srs/scripts/mochi_api.pyusing content derived from user input via the--contentflag. This presents a high risk for command injection if the user-provided text contains shell metacharacters like backticks, semicolons, or pipes. - [EXTERNAL_DOWNLOADS] (MEDIUM): The installation instructions in
README.mdreferenceHartreeWorks, which is not a verified or trusted organization according to the [TRUST-SCOPE-RULE]. - [COMMAND_EXECUTION] (MEDIUM): The skill performs runtime execution of a local Python script from another skill's directory (
~/.claude/skills/mochi-srs/), which is a form of dynamic loading (Category 10). - [PROMPT_INJECTION] (MEDIUM): The skill uses HTML entities (
) inSKILL.mdflashcard templates. While likely for formatting, these can be used to obfuscate content in simple ways (Category 3g).
Recommendations
- AI detected serious security threats
Audit Metadata