sidequest
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The
scripts/sidequest.shscript is vulnerable to command injection via shell metacharacters. - The script uses
osascriptto launch a new terminal and execute a command:cd '$PWD' && claude -p "$escaped_prompt". - The
$escaped_promptvariable, which contains the user-provided task description, is passed throughescape_for_applescript. However, this function only escapes double quotes and backslashes. It does not escape shell-active characters like$(dollar sign) or`(backticks). - An attacker can provide a task description containing shell substitutions (e.g.,
$(touch /tmp/pwned)) which will be executed by the shell in the newly spawned terminal session. - Additionally, the
$PWDvariable is used inside single quotes incd '$PWD'. If a user is in a directory with a name containing a single quote followed by shell commands, this would also lead to command injection. - DATA_EXFILTRATION (LOW): The skill gathers local system context (current working directory, git branch, and recent file activity) and passes it to an external process (
claudeCLI). While this is the intended functionality, it constitutes a crossing of session boundaries for sensitive environment data. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection. It ingests data from untrusted sources such as git branch names and recent file content, which are then interpolated into the system prompt of the new Claude session without sufficient sanitization or boundary markers.
Recommendations
- AI detected serious security threats
Audit Metadata