claude-skill-orchestration-audit
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive filesystem paths to discover other installed skills.
- Evidence: SKILL.md contains instructions to 'Glob ~/.claude/skills/*/SKILL.md' to discover skills for auditing.
- Context: While this is necessary for the skill's primary purpose, accessing the user's home directory configuration files is a sensitive operation.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data (the content of other skills) through a sub-agent without sufficient isolation.
- Ingestion points: SKILL.md reads the content of any SKILL.md file found in the globbed path and passes it to the 'Skill Analyzer Agent' in Step 2.
- Boundary markers: None. The instructions in references/agent-skill-analyzer.md do not include delimiters or warnings to ignore instructions embedded within the analyzed skill content.
- Capability inventory: The orchestrator has the ability to read/write files and launch sub-agents. The 'Agent' tool is used to execute the analysis logic.
- Sanitization: No sanitization or escaping of the target skill's content is performed before it is processed by the LLM.
- [COMMAND_EXECUTION]: The skill includes functionality to modify the local filesystem, specifically other skill files.
- Evidence: The '--fix' flag in SKILL.md allows the agent to 'apply with Edit after user confirms' changes to the audited skills.
- Context: This capability allows for modification of other agent logic, which can be risky if combined with an indirect prompt injection attack.
Audit Metadata