shell-testing-framework
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface because it ingests untrusted external content (user-provided shell scripts) and has the capability to execute that content to verify coverage and performance targets.
- Ingestion points: User-provided shell script files and function definitions provided via prompt or filesystem (referenced in README.md).
- Boundary markers: None identified; the skill assumes all provided code is legitimate targets for execution.
- Capability inventory: The README.md examples demonstrate the use of subshells
$(...)andsourcecommands intest-module.sh, which allow for arbitrary command execution. - Sanitization: No mention of sandboxing, linter-based validation, or restricted execution environments for the shell code being tested.
- Dynamic Execution (HIGH): The skill generates and executes shell scripts (
.sh) at runtime. While this is the stated purpose of a testing framework, the lack of isolation when executing dynamically generated or user-provided scripts poses a high risk to the host environment. - Metadata Poisoning (MEDIUM): The README.md claims the skill is already installed at a specific path (
~/Library/Application Support/Claude/skills/shell-testing-framework/). This type of authoritative metadata can be used to deceive agents into trusting the skill's origin or state without verification.
Recommendations
- AI detected serious security threats
Audit Metadata