config-restore
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (HIGH): The
scripts/restore.shscript is vulnerable to path traversal. Thedirectoriesarguments are used to construct theTARGET_PATH(e.g.,$TARGET_DIR/$dir) without validation. By providing paths like../../, an attacker could overwrite critical files such as~/.ssh/authorized_keysor~/.bashrc. Evidence inscripts/restore.sh:TARGET_PATH="$TARGET_DIR/$dir"followed bycp -rf "$SOURCE_PATH/"* "$TARGET_PATH/". - Indirect Prompt Injection (LOW): The skill is designed to ingest and restore configuration files, including skills and commands, into the agent's active environment (
~/.claude/). -
- Ingestion points: User-specified source directories (e.g.,
/tmp/backup).
- Ingestion points: User-specified source directories (e.g.,
-
- Boundary markers: Absent; the script blindly copies files.
-
- Capability inventory: File write (
cp,rsync) to the agent's configuration directory.
- Capability inventory: File write (
-
- Sanitization: Absent; content of restored files is not validated before being placed into the agent's execution path.
Recommendations
- AI detected serious security threats
Audit Metadata