directory-naming-convention
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection because it reads and processes code files from the 'components/**/*' directory without employing boundary markers or sanitization. Combined with its 'Write' and 'Edit' capabilities, a malicious actor could embed instructions within repository files to trick the agent into performing unauthorized code modifications. \n
- Ingestion points: Files matching 'components/**/*' via the 'Read' tool.\n
- Boundary markers: None detected in the instructions or examples.\n
- Capability inventory: 'Read', 'Write', and 'Edit' tools provide the agent with full file system modification privileges within its scope.\n
- Sanitization: No input validation or escaping of external content is specified before processing. \n- Command Execution (MEDIUM): The 'Memory Protocol' section explicitly mandates the execution of a shell command ('cat .claude/context/memory/learnings.md'). While targeted at an internal context file, the practice of using raw shell commands for state management introduces risks of unauthorized file access or potential path traversal if the environment is not strictly locked down.
Recommendations
- AI detected serious security threats
Audit Metadata