plugin-creator
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches official Claude Code documentation, schema references, and plugin guidelines from
code.claude.comto ensure created plugins comply with platform requirements. - [COMMAND_EXECUTION]: Utilizes local development tools including
gitfor version control,jqfor JSON manipulation, andgrepfor searching, as well as executing local Python scripts viauvfor scaffolding. - [REMOTE_CODE_EXECUTION]: Leverages
uvxto execute theskilllintpackage from a remote registry to perform automated validation of skill metadata and structure. - [DATA_EXFILTRATION]: Accesses the local
plugins/directory and the user's global skill repository at~/.claude/skills/to research existing implementations and ensure architectural consistency. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection because the skill ingests and analyzes third-party plugin code and external documentation.
- Ingestion points: Content is read from local plugin files, the
~/.claude/skills/directory, and external documentation URLs. - Boundary markers: There are no explicit delimiters or instructions provided to sub-agents to ignore potentially malicious instructions embedded in the ingested data.
- Capability inventory: The orchestration involves sub-agents (
general-purpose,Plan,plugin-assessor) that have permissions to write to the file system and execute shell commands. - Sanitization: The skill does not perform sanitization or validation of the logic contained within ingested files before they are processed by LLM sub-agents.
Audit Metadata