skills/jeremylongshore/claude-code-plugins-plus-skills/assisting-with-soc2-audit-preparation/Gen Agent Trust Hub
assisting-with-soc2-audit-preparation
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/generate_soc2_report.pyincludes agenerate_scriptmethod that writes arbitrary template content to a shell script file and applieschmod 0o755to make it executable. This behavior allows for the dynamic creation and execution of scripts based on input data. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted external data from sources such as cloud provider logs and infrastructure-as-code files without implementing sanitization or boundary markers. 1. Ingestion points: documentation, cloud logs, and configuration files in the base directory. 2. Boundary markers: No delimiters or ignore instructions are present in the prompt instructions or script logic. 3. Capability inventory: All included scripts perform file system operations;
generate_soc2_report.pyspecifically provides script generation and modification capabilities. 4. Sanitization: No escaping or validation is performed on the data ingested before it is processed or used in report generation.
Audit Metadata