Skills
skills/phrazzld/claude-config/growth-at-scale/Gen Agent Trust Hub

growth-at-scale

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the user to configure MCP servers that download and execute packages from npm using npx -y. These packages are from the @anthropic organization. Note that the trusted organization list identifies 'anthropics' (plural) as trusted, but 'anthropic' (singular) is an exact match failure, classifying these as untrusted sources.
  • Evidence: Commands such as npx -y @anthropic/mcp-google-ads in SKILL.md.
  • [REMOTE_CODE_EXECUTION] (HIGH): Using npx -y with external packages allows arbitrary code execution on the host machine during the setup and execution of growth tools.
  • [COMMAND_EXECUTION] (HIGH): The skill requires modifying the agent's core configuration file (~/.claude/settings.json). This acts as a persistence mechanism, ensuring that external and potentially malicious code is loaded and executed in every future session.
  • [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection (Category 8) due to its data ingestion surface.
  • Ingestion points: Untrusted content provided to /social post, /newsletter draft, and social media inputs.
  • Boundary markers: No explicit delimiters or 'ignore embedded instruction' warnings are used in the provided examples.
  • Capability inventory: Extensive network and system access through Google Ads, Meta Ads, Twitter APIs, HubSpot, and full browser automation via mcp__claude-in-chrome.
  • Sanitization: No evidence of content sanitization or validation before transmission to external platforms.
  • [DATA_EXFILTRATION] (MEDIUM): The references/api-research.md file demonstrates patterns for handling sensitive API keys (Google Ads, Meta, Twitter, Buttondown) via environment variables, which are then passed to external CLI and curl commands, creating an exposure surface for credentials.
  • [DYNAMIC_EXECUTION] (MEDIUM): The skill utilizes browser automation (mcp__claude-in-chrome) for platforms without APIs (e.g., Substack, Product Hunt). This involves dynamic interaction with web forms and system clicking, which can be hijacked if the agent processes malicious instructions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:25 PM