nest-claude
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Describes a method to bypass the
claudeCLI's built-in restriction on recursive nesting by unsetting specific environment variables (CLAUDECODEandCLAUDE_CODE_ENTRYPOINT). - [COMMAND_EXECUTION]: Provides instructions for using the
--dangerously-skip-permissionsflag, which allows child processes to execute all available tools (including file system and shell access) without human intervention or approval. - [COMMAND_EXECUTION]: Recommends the use of dynamically generated shell scripts (Pattern B) to manage the execution and synchronization of multiple background processes.
- [PROMPT_INJECTION]: Establishes a surface for indirect prompt injection through the following mechanisms:
- Ingestion points: Untrusted data can enter the agent context via the child's prompt flag (
-p) or file-reading tools within theSKILL.mdworkflows. - Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are provided in the recommended prompt templates or file-based IPC examples.
- Capability inventory: Full access to host system tools (Bash, Read, Write) is granted to the child processes via the auto-approval flag, allowing actions to be taken based on injected content.
- Sanitization: No input validation or escaping logic is suggested for the data being passed into nested instances or written to shared state files.
Audit Metadata