journey-design
Warn
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script named
journey-engine.pyusing thesimulateargument to perform Monte Carlo simulations. This represents the execution of code external to the skill's own instructions. - [COMMAND_EXECUTION]: The process involves reading from sensitive file paths in the user's home directory, specifically
~/.claude-marketing/brands/and~/.claude-marketing/sops/. Accessing files outside the project root can lead to the exposure of sensitive brand and configuration data. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting data from untrusted local files.
- Ingestion points: Files located at
~/.claude-marketing/brands/_active-brand.json,~/.claude-marketing/brands/{slug}/profile.json, and~/.claude-marketing/brands/{slug}/guidelines/_manifest.jsonare read and their content is applied to the agent's context. - Boundary markers: None are specified to delimit the ingested content or warn the agent against following instructions embedded within these files.
- Capability inventory: The skill has the capability to execute shell commands (
journey-engine.py). - Sanitization: No sanitization or validation of the ingested JSON data is described before it is used to inform journey design logic.
Audit Metadata