authoring-claude-md
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is susceptible to indirect prompt injection because it is designed to ingest untrusted data from a codebase and has the authority to write to persistent project memory files.
- Ingestion points: The skill explicitly instructs the agent to read and explore external codebase content using
Read,Grep, andGlobtools. - Boundary markers: Although the skill suggests using XML-style tags for output organization, it provides no instructions or system-level delimiters to prevent the agent from being influenced by malicious instructions embedded within the source files it analyzes.
- Capability inventory: The skill's metadata authorizes
WriteandEditpermissions, allowing the agent to modify theCLAUDE.mdfile, which serves as a trusted long-term context for all subsequent agent sessions in that project. - Sanitization: The skill lacks any requirement or methodology for the agent to sanitize, filter, or validate the content extracted from the codebase before incorporating it into the project documentation.
Recommendations
- AI detected serious security threats
Audit Metadata