claude-code-configuration
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION] (LOW): The skill identifies sensitive local configuration files such as 'claude_desktop_config.json' and '.claude/settings.json'. These files are high-value targets as they often contain plaintext API keys, tokens, and internal environment variables.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill provides instructions for configuring 'extraKnownMarketplaces' using arbitrary Git and GitHub URLs. Instructing an agent to add and install plugins from unverified remote repositories creates a direct path for remote code execution.
- [COMMAND_EXECUTION] (MEDIUM): The skill demonstrates how to define 'mcpServers' with 'command' and 'args' fields. This capability allows for the persistent execution of arbitrary local binaries or scripts by the Claude Desktop application on the host machine.
- [EXTERNAL_DOWNLOADS] (MEDIUM): Example configurations include external sources from untrusted domains (e.g., git.company.com). Loading executable plugins from these sources bypasses standard security vetting and can introduce malicious dependencies into the agent's environment.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill enables the agent to process project-level configuration files ('.claude/settings.json') which can be controlled by an external attacker through a shared repository.
- Ingestion points: '.claude/settings.json' in the project directory.
- Boundary markers: Absent; the skill does not instruct the agent to ignore instructions embedded within the data it reads.
- Capability inventory: File system read/write, JSON processing (jq), and plugin installation capabilities.
- Sanitization: Absent; the skill suggests syntax validation via 'jq' but lacks logic for sanitizing or verifying the safety of the configuration content.
Audit Metadata