package-plugin
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/package.py executes system zip and unzip utilities via subprocess.run to package and verify plugin archives. Evidence: Function calls subprocess.run(cmd, ...) in package_plugin, package_skill, and verify_package use list-based arguments without a shell, which is a secure practice to prevent shell injection.
- [PROMPT_INJECTION]: The skill processes untrusted plugin data (manifests and skill files) which represents a surface for indirect prompt injection. Ingestion points: Reads .claude-plugin/plugin.json and skills/*/SKILL.md in scripts/package.py. Boundary markers: No delimiters or instructions to ignore embedded commands are present when processing these files. Capability inventory: The skill is limited to packaging and verifying local files and does not perform network operations. Sanitization: Performs structural validation of the JSON manifest (checking for kebab-case names and semver versions) before processing.
Audit Metadata