cx-init
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Persistence Mechanisms] (HIGH): The skill modifies .claude/settings.json to register hooks that execute bash scripts on triggers like SessionStart and PostToolUse, ensuring its code runs automatically.
- [Privilege Escalation] (HIGH): It configures a PermissionRequest hook and sets permission_auto_approve to true, explicitly bypassing user confirmation for agent commands.
- [Dynamic Execution] (MEDIUM): The skill generates and registers local shell scripts for automated execution without verified source integrity.
- [Indirect Prompt Injection] (LOW): It modifies CLAUDE.md by interpolating user-provided developer_id into a block used for agent instructions. Evidence: 1. Ingestion point: developer_id at Step 2.1. 2. Boundary markers: in Step 6.2. 3. Capability inventory: Writing scripts and modifying settings hooks. 4. Sanitization: None observed.
Recommendations
- AI detected serious security threats
Audit Metadata