Skills
skills/hiyeshu/codeck/codeck-outline/Gen Agent Trust Hub

codeck-outline

Warn

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs shell commands using variables derived from the local environment, specifically DECK_DIR="$HOME/.codeck/projects/$(basename "$(pwd)")". Using $(basename "$(pwd)") inside double quotes allows for command injection if the current working directory name contains shell metacharacters such as backticks or subshell syntax.
  • [COMMAND_EXECUTION]: The use of eval to execute a find command string in SKILL.md is a risky pattern. While the exclusion list is static, the eval context can be exploited if the directory structure or filenames contain malicious characters designed to break out of the command string.
  • [EXTERNAL_DOWNLOADS]: The instructions explicitly direct the agent to "search the web" to fill information gaps or verify terminology. This involves fetching data from remote, unverified sources which could contain malicious or biased content.
  • [REMOTE_CODE_EXECUTION]: The skill executes a local shell script located at $HOME/.claude/skills/codeck/scripts/status.sh. While this script is intended to be part of the skill's infrastructure, executing scripts from variable paths in the home directory is a high-risk operation if the installation environment is compromised.
  • [PROMPT_INJECTION]: The skill processes untrusted user data from the local project directory (Markdown, PDF, DOCX, etc.) without explicit boundary markers or sanitization logic. This creates an indirect prompt injection surface where instructions embedded within these documents could override the agent's editorial persona or primary instructions.
  • Ingestion points: Files in the current working directory scanned via find and read via the Read tool (referenced in SKILL.md).
  • Boundary markers: Absent. No specific delimiters or "ignore instructions" warnings are used when processing material content.
  • Capability inventory: File system writes (mkdir), directory scanning (find), and shell script execution (bash) as defined in SKILL.md.
  • Sanitization: Absent. Content is processed directly for narrative extraction.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 2, 2026, 06:32 AM