bootstrap
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructs the agent to run
scripts/gather-git-state.shandscripts/copy-to-clipboard.sh. These scripts are external to the analyzed file and represent unverified execution paths. If the skill package is from an untrusted source, these scripts could perform arbitrary malicious actions on the host system. - PROMPT_INJECTION (HIGH): (Category 8: Indirect Prompt Injection) The skill processes untrusted conversation history to determine future actions.
- Ingestion points: Step 1 of the 'Execution Steps' requires the agent to 'Review conversation, understand what happened'.
- Boundary markers: Absent. There are no instructions to ignore or delimit potentially malicious content within the session history.
- Capability inventory: Execution of shell scripts (
scripts/gather-git-state.sh,scripts/copy-to-clipboard.sh) and file-write operations to the.claude/handoffs/directory. - Sanitization: Absent. The skill does not perform any validation or escaping of the session content before drafting the 'Resume Instructions' or 'Next Steps'.
- DATA_EXFILTRATION (MEDIUM): The skill uses
scripts/copy-to-clipboard.sh(described as usingpbcopy) to move potentially sensitive project state and session history to the system clipboard, making it accessible to any other application running on the system without further user interaction.
Recommendations
- AI detected serious security threats
Audit Metadata