Skills
skills/prorise-cool/prorise-claude-skills/ccw-loop/Gen Agent Trust Hub

ccw-loop

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill executes arbitrary commands retrieved from the package.json file of the workspace it is operating on. Specifically, action-validate-with-file.md reads the test and test:coverage scripts and passes them directly to Bash. This allows a malicious repository to execute arbitrary code on the host system.
  • Evidence: File phases/actions/action-validate-with-file.md extracts packageJson.scripts?.test and executes it via Bash({ command: testScript }).
  • [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection because it interpolates unsanitized user-provided input (task_description) and external content (source code files) directly into prompts sent to the ccw cli and subagents.
  • Evidence: File phases/actions/action-init.md interpolates ${state.task_description} into analysisPrompt. File phases/actions/action-develop-with-file.md does the same for implementation tasks.
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill possesses the capability to write files, execute shell commands, and invoke subagents based on the output of an LLM that is processing untrusted data (the task description and the source code). This chain of capabilities, combined with a lack of input validation, creates a significant RCE surface.
  • Evidence: The orchestrator loop in action-develop-with-file.md uses ccw cli to generate implementation code which is then applied to the local filesystem.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 10:42 AM