start-research
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The file
SKILL.mdcontains a bash script invocation that directly interpolates the user-provided{topic}variable:.claude/hooks/workflows/write-session-state.sh "{topic}" .... Since this variable is gathered directly from user input inreferences/gather-context.md, an attacker can use shell metacharacters (such as backticks or semicolons) to escape the intended command and execute arbitrary code. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8). Evidence: 1. Ingestion points: User input is collected through multiple prompts in
references/gather-context.md. 2. Boundary markers: None present. 3. Capability inventory: The skill has the ability to execute bash scripts and write session state. 4. Sanitization: No sanitization or escaping is performed on the gathered user input before it is used in command interpolation or file path construction.
Recommendations
- AI detected serious security threats
Audit Metadata