Skills
skills/samchang72/custom-skills/ai-model-routing/Gen Agent Trust Hub

ai-model-routing

Fail

Audited by Gen Agent Trust Hub on Mar 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions and scripts (such as scripts/auto-fix.sh) that explicitly enable the claude CLI with 'Level 4' permissions. This level grants the AI access to the Bash tool, allowing it to execute arbitrary shell commands on the local system.
  • [PROMPT_INJECTION]: In scripts/auto-fix.sh, user-provided input is passed directly as a prompt to the claude CLI tool while it has broad system permissions. This allows a user to potentially control system behavior through prompt injection.
  • [DATA_EXFILTRATION]: The toolset granted to the AI across various files includes Read, Grep, and Glob, which allow the model to access files throughout the project. When paired with Bash access, this creates a high risk for reading and exfiltrating sensitive data.
  • [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection. It demonstrates piping untrusted content like git diff output, error logs, and build results directly into the model prompt in scripts/code-review.sh and SKILL.md.
  • Ingestion points: scripts/code-review.sh (ingesting git diffs and file content), SKILL.md (piping logs and build outputs directly into the model prompt).
  • Boundary markers: Absent; untrusted data is not delimited or separated from instructions using any special markers.
  • Capability inventory: Full access to Read, Edit, Write, and Bash tools via the claude CLI.
  • Sanitization: No sanitization, escaping, or filtering is performed on external data before it is sent to the model context.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 17, 2026, 02:00 PM