emerging-channels
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute a shell command:
python campaign-tracker.py --brand {slug} --action list-campaigns. The scriptcampaign-tracker.pyis not provided within the skill package, representing an external execution dependency. Furthermore, using a dynamic{slug}variable in a shell command without sanitization instructions poses a command injection risk. - [REMOTE_CODE_EXECUTION]: The instruction to run an external script (
campaign-tracker.py) that is not part of the distributed skill files allows for the execution of arbitrary code present on the host system. - [DATA_EXPOSURE]: The skill programmatically accesses files in the user's home directory (e.g.,
~/.claude-marketing/brands/{slug}/profile.json). This pattern is vulnerable to path traversal if the{slug}variable is manipulated to point to sensitive system files (e.g.,../../.ssh/id_rsa). - [INDIRECT_PROMPT_INJECTION]: The skill's core logic involves reading and enforcing content from external files like
restrictions.md,messaging.md, andcompliance-rules.mdwithout validation. - Ingestion points: Data is read from
~/.claude-marketing/andskills/context-engine/subdirectories. - Boundary markers: The instructions lack delimiters or 'ignore embedded instructions' warnings when processing the contents of these external files.
- Capability inventory: The agent has the capability to read files and execute shell commands.
- Sanitization: There is no mention of sanitizing the content of the brand profile or guidelines before applying them to the agent's persona and constraints.
Audit Metadata