claude-code
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute specific CLI tools and MCP functions, including 'git-ai search' for retrieving conversation context from git history, 'cozempic' for context management, and several 'mcp__pal__' tools for multi-model analysis and debugging.
- [PROMPT_INJECTION]: The instructions establish a trust relationship with external data by directing the agent to 'Trust this index for past decisions and learnings' when using the Claude-mem tool. This creates a surface for indirect prompt injection if the stored memory contains malicious instructions from previous sessions.
- [PROMPT_INJECTION]: Ingestion points: Data entering the session context via 'Claude-mem' (past observations) and 'git-ai-search' (git history and associated AI conversation context).
- [PROMPT_INJECTION]: Boundary markers: The skill lacks explicit instructions for the agent to treat retrieved data as untrusted or to wrap it in delimiters; instead, it encourages direct trust in the memory index.
- [PROMPT_INJECTION]: Capability inventory: The agent is granted capabilities to run CLI commands (git-ai, cozempic), perform memory operations (save_memory, search), and invoke external analysis models (PAL MCP).
- [PROMPT_INJECTION]: Sanitization: There are no instructions provided for sanitizing or validating content retrieved from memory or git history before it is integrated into the active prompt context.
Audit Metadata