canonical-format-checker
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill directs the agent to read and follow "authoritative format" instructions from local files (e.g.,
.claude/skills/,.claude/agents/). This creates a vulnerability where an attacker who can modify these files (e.g., via a Pull Request) can inject malicious instructions that the agent will treat as mandatory "Canonical Format" rules during content creation or review. - Ingestion points: File reading via
catandheadinSKILL.md(Step 2). - Boundary markers: Absent. The agent is not instructed to treat the content as untrusted data.
- Capability inventory: File system inspection (
ls) and reading (cat,head). - Sanitization: Absent. Content is read directly into context for comparison.
- [Command Execution] (LOW): The skill explicitly instructs the agent to execute shell commands (
ls,cat,head) to inspect the local filesystem. While these are restricted to read-only operations in the provided examples, they provide the agent with a mechanism to access sensitive internal configuration directories.
Recommendations
- AI detected serious security threats
Audit Metadata