debug
Warn
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation provides instructions to access sensitive files containing authentication tokens.
- Evidence: Explains using
cat .envto verifyCLAUDE_CODE_OAUTH_TOKENandANTHROPIC_API_KEYinSKILL.md. - Evidence: Accesses
~/.claude/projects/which contains session history and potentially sensitive metadata. - [COMMAND_EXECUTION]: The skill provides numerous examples of powerful shell commands that an agent is encouraged to use for troubleshooting.
- Evidence: Usage of
docker runwith arbitrary shell commands via the-cflag to inspect environment variables and file systems inSKILL.md. - Evidence: Instructions to use
rm -rf data/sessions/to clear session data. - Evidence: Usage of
sqlite3to directly modify the application's database. - Evidence: Mentions
sudo systemctl start dockerin a diagnostic script snippet. - [DATA_EXFILTRATION]: The skill facilitates the reading of sensitive configuration and session data from the host system.
- Evidence: Commands like
cat /workspace/env-dir/envinside a container mount host secrets for verification. - [PROMPT_INJECTION]: The documented architecture reveals a surface for indirect prompt injection (Category 8).
- Ingestion points:
SKILL.mddocuments an entry point where a JSON payload containing apromptfield is piped into a Docker container. - Boundary markers: Absent.
- Capability inventory:
SKILL.mdexplicitly listsBash,Read, andWriteas allowed tools for the agent. - Sanitization: Absent.
Audit Metadata