debug
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous shell commands and a complex bash diagnostic script designed to be executed on the host system. These include docker commands that run arbitrary logic inside containers, process monitoring, and file system manipulation for debugging purposes.
- [CREDENTIALS_UNSAFE]: Instructions guide the user or agent to read and verify sensitive credentials, specifically 'CLAUDE_CODE_OAUTH_TOKEN' and 'ANTHROPIC_API_KEY', from '.env' files. This exposes authentication secrets to the process context.
- [PROMPT_INJECTION]: The skill recommends configuring the agent with 'allowDangerouslySkipPermissions: true' and 'permissionMode: bypassPermissions'. These settings explicitly override the agent's safety protocols and confirmation prompts, allowing unrestricted tool usage.
- [DATA_EXFILTRATION]: The skill documents access to and manipulation of Claude session history located at '~/.claude/projects/'. This directory contains sensitive conversation logs and session metadata.
- [PROMPT_INJECTION]: Indirect Prompt Injection Attack Surface identified.
- Ingestion points: The system reads external, untrusted data from WhatsApp messages and task requests via files in 'data/ipc/messages/' and 'data/ipc/tasks/'.
- Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the documentation for handling these inputs.
- Capability inventory: The agent is configured with high-privilege tools including 'Bash', 'Read', and 'Write', combined with the 'bypassPermissions' mode.
- Sanitization: There is no evidence of sanitization or validation of the incoming IPC message content before it is processed by the agent.
Audit Metadata