Skills
skills/jmagar/claude-homelab/zfs/Gen Agent Trust Hub

zfs

Pass

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: SAFE
Full Analysis
  • [PROMPT_INJECTION]: The skill contains specific instructions in SKILL.md to guide the AI agent on when to invoke the toolset (e.g., 'YOU MUST invoke this skill'). These instructions are instructional framing intended to improve tool selection accuracy and do not attempt to bypass security filters or override user safety constraints.
  • [COMMAND_EXECUTION]: The skill uses standard ZFS commands (zpool, zfs) and replication tools (syncoid, sanoid) to perform its stated tasks. While these commands often require administrative privileges, the skill follows best practices by documenting zfs allow delegation to minimize root usage and enforcing a strict multi-step confirmation protocol for destructive actions like zfs destroy or zpool rollback.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The documentation references the use of SSH keys and .env files for managing credentials and remote access. These are standard practices for automated ZFS replication across devices. No logic for unauthorized data exfiltration was found; network operations are limited to SSH replication tasks initiated by the user.
  • [INDIRECT_PROMPT_INJECTION]: The skill reads and processes system output from ZFS monitoring commands. This creates a potential surface for indirect injection if an attacker could control ZFS object names; however, the risk is negligible due to ZFS's strict naming conventions and the skill's mandatory human-in-the-loop requirement for all impactful operations.
  • Ingestion points: scripts/pool-health.sh and examples/basic-health-check.sh read outputs from the zpool list and zpool status commands.
  • Boundary markers: The SKILL.md file enforces a 'MANDATORY CONFIRMATION PROTOCOL' that includes impact explanation and double user confirmation before any state-changing command.
  • Capability inventory: The skill provides bash scripts that execute ZFS management commands and handle dataset synchronization via ssh and syncoid.
  • Sanitization: Shell scripts utilize standard variable quoting to prevent command injection, and ZFS provides inherent validation of pool and dataset names.
  • [DYNAMIC_EXECUTION]: The scripts/load-env.sh utility facilitates the loading of configuration variables by sourcing local .env files. This is a common and appropriate pattern for local environment management in administrative tools and does not involve the execution of code from untrusted or remote sources.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 7, 2026, 05:33 PM