add-thinker
Warn
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Persistence via Global Filesystem Modification. The skill uses tools to write generated instruction files to the user's home directory (
~/.claude/skills/). This allows the newly created skills—and any malicious instructions they might contain—to persist across all agent sessions and project environments. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill performs 'Deep Research' using
WebSearchandWebFetchto gather information from untrusted external sources and then synthesizes that data into executable agent instructions. - Ingestion points: Data enters the context via
WebSearchandWebFetchduring the Phase 2 research stage (SKILL.md). - Boundary markers: The prompts provided to the research agents do not include delimiters or instructions to ignore potential adversarial content embedded in web pages or primary sources.
- Capability inventory: Both the generator skill and the resulting synthesized skills are granted high-privilege tools, including
Bash,Write, andAgent. - Sanitization: The skill lacks a validation or sanitization step to ensure that 'principles' extracted from the web do not contain malicious commands or safety bypasses before they are written to the global skill directory.
- [COMMAND_EXECUTION]: Arbitrary File Creation. The skill facilitates the creation of new executable instruction sets (
SKILL.mdfiles) based on dynamically researched content, which can be used to bypass typical repository-level security constraints.
Audit Metadata