ljg-skill-map
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: Executes a local bash script
scripts/scan.shto iterate through directories and extract YAML frontmatter from files. While functional for a skill map, it represents a direct shell execution capability.\n- [DATA_EXFILTRATION]: Performs recursive reads within the~/.claude/skills/directory. Although no network exfiltration is observed, the skill exposes the documentation and configuration of all installed skills to the active context.\n- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection (Category 8). Maliciously crafted descriptions in other installed skills could attempt to override agent instructions when processed during the categorization and ASCII rendering phases. \n - Ingestion points: Metadata extraction from
SKILL.mdfiles viascripts/scan.sh. \n - Boundary markers: Absent; descriptions are interpolated into the prompt for classification without delimitation or instructions to ignore embedded commands. \n
- Capability inventory: Local file system read and bash script execution. \n
- Sanitization: Includes shell-level escaping for quotes and backslashes in the script, but lacks natural language sanitization for the LLM processing stage.
Audit Metadata