cartographer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill maps codebases by reading all files, making it highly vulnerable to instructions hidden within the source code of the project being analyzed.
- Ingestion points: Sonnet subagents read all files in the target directory (Step 4).
- Boundary markers: No boundary markers or 'ignore' instructions are present in the subagent prompt template to prevent the AI from obeying instructions found inside the scanned files.
- Capability inventory: The skill modifies local files (
docs/CODEBASE_MAP.mdandCLAUDE.md) and can execute shell commands (pip,git,python3). - Sanitization: No sanitization or validation logic is defined for the content extracted from the codebase before it is used to generate documentation or influence agent decisions.
- Command Execution (MEDIUM): The skill executes a script located at
~/.claude/skills/cartographer/scripts/scan-codebase.py. This script's logic is opaque and resides in a local path that could be subject to tampering or unexpected behavior. - External Downloads (MEDIUM): The skill prompts the agent to perform runtime package installations (
pip install tiktoken). Whiletiktokenis a common library, runtime installations from within an agent skill can be exploited if the package name is targeted or if the environment is not properly isolated. - Metadata Poisoning (LOW): The skill references an untrusted external repository (
https://github.com/kingbootoshi/cartographer) which is not on the trusted sources list. This may lead users to download additional unverified content.
Recommendations
- AI detected serious security threats
Audit Metadata