localize-campaign
Warn
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating the
{localized_content}variable into script calls, such aspython scripts/eval-runner.py --text "{localized_content}"andpython scripts/brand-voice-scorer.py --text "{localized_content}". Because this content is derived from external campaign assets provided by the user, this pattern creates a high risk of command injection if the content contains shell metacharacters and the execution environment lacks proper argument escaping. - [DATA_EXFILTRATION]: The skill reads sensitive brand profiles, messaging hierarchies, and compliance data from the user's home directory at
~/.claude-marketing/. This information is then processed and transmitted to external translation services via MCP servers (including DeepL, Google Cloud Translation, and Sarvam AI). This creates a data exfiltration surface where proprietary brand information is sent to third-party providers. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting "Campaign assets" (e.g.,
/campaign/fb-ad.txt) which are then processed by the agent. Malicious instructions embedded in these assets could attempt to influence the behavior of thelocalization-specialistorcontent-creatoragents during the transcreation or cultural adaptation steps. - Ingestion points: Campaign assets (files and directories), brand profiles in
~/.claude-marketing/. - Boundary markers: None identified in the prompt templates.
- Capability inventory: Subprocess calls to local Python scripts, file reads from home directory, and network operations via translation MCP servers.
- Sanitization: No evidence of escaping or validation of external asset content before it is processed or used in shell commands.
Audit Metadata