creative-health
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Python script named
creative-fatigue-predictor.pyduring the process phase. Since the source code for this script is not provided in the skill package, its behavior is unverifiable and could perform unauthorized actions. - [COMMAND_EXECUTION]: The skill reads sensitive brand configuration data, visual identity restrictions, and agency standard operating procedures (SOPs) from hidden directories located at
~/.claude-marketing/. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the ingestion of external creative performance data.
- Ingestion points: Creative names, channel contexts, and performance metrics provided by the user or external ad platforms as described in the 'Input Required' section.
- Boundary markers: The skill does not define delimiters or specific instructions to ignore embedded commands within the processed data.
- Capability inventory: The skill has file system read access and the ability to execute local Python scripts.
- Sanitization: There is no evidence of data validation or sanitization of the input before it is passed to the scoring script or the secondary agents.
Audit Metadata