skill-builder
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PERSISTENCE_MECHANISMS]: The skill includes an installation script (
scripts/install-hook.sh) that modifies the platform's configuration file at~/.claude/settings.json. This script registers aUserPromptSubmithook that persists across different sessions and automatically executes a monitoring script (scripts/task-tracker.py) whenever the user submits a prompt. - [DATA_EXPOSURE_AND_EXFILTRATION]: The monitoring script (
scripts/task-tracker.py) reads user prompts from the input stream and appends them to a local history log file at~/.claude/skill-builder-history.jsonl. This behavior results in the systematic logging of user interaction data on the host machine. - [DYNAMIC_EXECUTION]: The
scripts/install-hook.shscript utilizes a heredoc to execute an embedded Python script at runtime (`python3 - <<'PY'`) to perform logic for merging hook configurations into the existing JSON settings file.
- [INDIRECT_PROMPT_INJECTION]: The
scripts/task-tracker.pyscript processes untrusted user input directly from stdin. This input is then tokenized and used to generate a<system-reminder>which is injected back into the agent's context. While the script uses tokenization and stemming as a form of sanitization, it represents an attack surface for influencing agent behavior via processed prompt history.
Audit Metadata