command-creator
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/main.cjsmodifies JavaScript routing tables by directly interpolating theskillargument into a single-quoted string within a configuration file. Because the input is not escaped, it allows for property injection or arbitrary code execution when the agent loads its routing configuration. - [EXTERNAL_DOWNLOADS]: The skill specifies a mandatory research phase using
WebFetchto query the arXiv API and utilizing theExasearch tool. These operations target well-known academic and technology services. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by placing unsanitized user input into generated command files and catalogs.
- Ingestion points: Arguments
name,skill, anddescriptionare accepted as user input and processed inscripts/main.cjs. - Boundary markers: Absent. Generated command files do not use delimiters or instructions to the agent to disregard instructions embedded within the description field.
- Capability inventory: The skill utilizes
fs.writeFileSyncandfs.appendFileSyncto modify command definitions, discovery catalogs, and internal routing tables. - Sanitization: Only the
nameparameter is sanitized via regex; theskillanddescriptionparameters are only trimmed, allowing potentially malicious instructions to persist in generated files. - [COMMAND_EXECUTION]: The skill performs file system modifications on internal agent directories (
.claude/) to update discovery catalogs and intent routing logic, which determines how the framework interprets and executes user commands.
Audit Metadata