claude-md-progressive-disclosurer
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- CREDENTIALS_UNSAFE (MEDIUM): The skill's primary logic (found in SKILL.md and progressive_disclosure_principles.md) specifically targets the identification and migration of 'Infrastructure credentials', 'APIs', and 'credentials paths'. Centralizing sensitive data into specific 'reference' files makes them easier targets for subsequent exfiltration attacks.
- PROMPT_INJECTION / DECEPTION (MEDIUM): The file '.security-scan-passed' is a metadata poisoning attempt. It provides a fake security clearance and hash to discourage manual auditing. Per the analyzer's global rules, this is treated as a deceptive pattern.
- COMMAND_EXECUTION (MEDIUM): The skill performs 'Extract to skill' operations which involve writing new skill definitions and scripts to a skills repository. This provides a mechanism for the agent to generate and later execute unauthorized code.
- DATA_EXFILTRATION (LOW): The skill accesses the sensitive local path '~/.claude/CLAUDE.md'. While no network transmission is explicitly coded, the capability to aggregate sensitive context is a high-risk prerequisite for data theft.
- INDIRECT PROMPT INJECTION (LOW): The skill HAS an attack surface for indirect injection by processing untrusted user data from CLAUDE.md to create new files.
- Ingestion points: '~/.claude/CLAUDE.md' (SKILL.md Step 1).
- Boundary markers: Absent; the skill blindly processes sections of the file based on line count.
- Capability inventory: File read (CLAUDE.md), File write ('~/.claude/references/'), and directory creation ('skills repository').
- Sanitization: Absent; content is moved 'as-is' or 'enhanced' without validation.
Audit Metadata