tech-research
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script (scripts/grok_setup.sh) that uses Python to programmatically read and modify the user's primary configuration file (~/.claude.json). This modification adds a new MCP server configuration to enable persistent browser profiles for research tasks. The script also uses dynamic execution of Python code snippets to handle JSON manipulation at runtime.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from X/Twitter (via Grok), GitHub (via DeepWiki), and general web searches.
- Ingestion points: Untrusted data enters the context through browser snapshots of social media posts and GitHub repository analysis (documented in references/subagent_templates.md).
- Boundary markers: While subagents use structured reporting templates, the main skill (SKILL.md) lacks explicit boundary markers or instructions for the agent to ignore embedded commands during the final synthesis of these findings.
- Capability inventory: The skill possesses powerful capabilities including local command execution, modification of system-level configuration files, and browser automation.
- Sanitization: There is no evidence of sanitization or validation of the retrieved external content before it is incorporated into the agent's decision-making and reporting workflow.
Audit Metadata