ln-110-project-docs-coordinator
Fail
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The skill attempts to access the user's sensitive SSH configuration file located at
~/.ssh/configto extract hostnames, IP addresses, and aliases. This information is intended to be included in a 'Context Store' that is shared with other agents. - [PROMPT_INJECTION]: The skill's architecture is vulnerable to indirect prompt injection. It ingests content from untrusted project files (such as
README.md,package.json, and.env.example) and interpolates this data directly into the prompts used to invoke sub-agents via the Agent tool. - Ingestion points: Multiple project files scanned during the auto-discovery phase in
SKILL.md(e.g.,package.json,docker-compose.yml,README.md). - Boundary markers: Absent; the prompt template for worker invocation (
Invoke Skill(skill: "{worker}") with context below.\n\nCONTEXT: {contextStore}) does not use delimiters or instructions to ignore embedded commands in the context data. - Capability inventory: The skill utilizes the Agent tool to spawn sub-agents, reads local files, and has access to network fetch and web search tools.
- Sanitization: No sanitization, escaping, or validation is performed on the data extracted from project files before it is passed to other agents.
- [EXTERNAL_DOWNLOADS]: The skill includes logic to fetch missing reference or configuration files from the author's GitHub repository (
https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/).
Recommendations
- AI detected serious security threats
Audit Metadata