content-writer
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a shell script in Step 3 that uses the
findcommand to dynamically search for a reference file (content-writing.md) within various hidden plugin and skill directories (e.g.,~/.claude/plugins,~/.claude/skills). While intended for local path discovery, this involves active shell command execution. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because its primary function is to ingest untrusted data from external URLs (via firecrawl/web tools) or local files to perform content audits and rewrites. Malicious instructions embedded in these external sources could attempt to influence the agent's behavior.
- Ingestion points: Users provide a "URL to improve" or "file path" as the primary input.
- Boundary markers: The instructions do not define clear boundary markers or instructions for the agent to ignore potentially malicious directions within the ingested content.
- Capability inventory: The skill executes shell commands (
find) and has the capability to generate code-like structures (JSON-LD) and read arbitrary local files if provided as paths. - Sanitization: No sanitization or validation of the external content is described before it is processed by the agent.
- [EXTERNAL_DOWNLOADS]: The skill's workflow explicitly instructs the agent to use external crawling tools like
firecrawlorWebSearchto fetch content from remote URLs provided by the user.
Audit Metadata