claude-cli-agent
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the
--dangerously-skip-permissionsflag when running the Claude CLI. This flag is explicitly designed to bypass user interface approval and security prompts during automated operations. - [COMMAND_EXECUTION]: Fallback procedures recommend that the agent dynamically generate and execute Python scripts to process files larger than 5MB. This involves runtime code creation and execution to circumvent CLI pipe limitations.
- [EXTERNAL_DOWNLOADS]: The skill references the
@anthropic-ai/claude-codepackage. This dependency originates from Anthropic, which is a recognized and trusted technology organization. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by piping external file content directly into a sub-agent context. 1. Ingestion points: Local files and redirected input processed via shell piping as described in SKILL.md. 2. Boundary markers: The skill lacks formal structural delimiters for external content and relies on natural language instructions (e.g., 'Do NOT use tools') to restrict sub-agent behavior. 3. Capability inventory: The agent has access to Bash, Read, and Write tools, which could be exploited if the sub-agent is successfully injected. 4. Sanitization: There is no evidence of sanitization or escaping of input data before it is piped to the sub-agent.
Audit Metadata