claude-code-copy-markdown
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute the
pbcopycommand via a shell heredoc to move data to the system clipboard. While this is the intended functionality, it grants the agent the ability to perform local command execution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and reformats conversation history that might contain malicious instructions from external tool outputs or web content.
- Ingestion points: The skill explicitly reads from the "previous response" or user-specified conversation parts in SKILL.md.
- Boundary markers: There are no explicit instructions or delimiters provided to the agent to ensure it ignores any instructions embedded within the text it is tasked to copy.
- Capability inventory: The skill possesses the capability to execute shell commands (
pbcopy) and access all previous conversation data. - Sanitization: While the shell command uses a quoted heredoc (
MARKDOWN_EOF) to prevent literal command injection, there is no logic to sanitize the content against LLM-level instruction following during the reformatting phase.
Audit Metadata