omega-claude-cli
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses
npx -y @anthropic-ai/claude-codeinscripts/ask-claude.mjsandscripts/verify-setup.mjsto execute the Claude CLI. This pattern downloads and runs code from the NPM registry at runtime. The package is published by the@anthropic-aiorganization, which is a trusted vendor. - [COMMAND_EXECUTION]: The script
scripts/ask-claude.mjsmanages subprocesses to interact with the Claude CLI. - It utilizes
child_process.spawnwithshell: falseto execute the tool, mitigating common shell injection vectors. - On Windows, it spawns
taskkillto handle process termination when timeouts occur. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface due to how it interpolates user data.
- Ingestion points: Untrusted prompt text is accepted via command-line arguments or
stdininscripts/ask-claude.mjs. - Boundary markers: The input is interpolated directly into the
-pargument of the CLI command without the use of delimiters (such as XML tags) or instructions for the model to ignore potential instructions embedded within the data. - Capability inventory: The skill invokes the secondary Claude session with the
--dangerously-skip-permissionsflag, which allows the headless session to execute tools without user confirmation. - Sanitization: There is no escaping or validation of the input prompt before it is passed to the execution wrapper.
- [EXTERNAL_DOWNLOADS]: The use of
npxresults in the download of the@anthropic-ai/claude-codepackage from a remote registry if it is not present locally. This is a functional requirement for the skill and targets a trusted source.
Audit Metadata