rule-creator
Warn
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses authoritative 'Iron Laws' and 'MANDATORY' protocols to influence agent behavior. It includes explicit instructions to 'follow it exactly as presented' and 'Assume interruption: If it's not in memory, it didn't happen.' Additionally, the skill is vulnerable to indirect prompt injection by writing untrusted user content from the
--contentargument into project rule files and persistent memory.\n - Ingestion points: Untrusted data enters via the
--contentargument in SKILL.md and scripts/main.cjs.\n - Boundary markers: No delimiters or 'ignore' warnings are used when the content is written to the .claude/rules/ directory.\n
- Capability inventory: The script scripts/main.cjs uses fs.writeFileSync and fs.appendFileSync, which allow persistent storage of potentially malicious instructions in the project context.\n
- Sanitization: The skill only performs basic string trimming and title casing, leaving any embedded instructions in the content argument intact.\n- [COMMAND_EXECUTION]: The workflow requires the agent to execute local scripts such as validate-integration.cjs and companion-check.cjs using node. These files are not provided in the skill package, creating a dependency on external executable content in the local environment.
Audit Metadata