code-cleanup
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses git commands (such as
git remote get-url origin,git log, andgit worktree list) and filesystem operations (rename, move, archive, delete) to manage the~/code/directory. While these are intended for cleanup, they involve direct interaction with the system shell and filesystem. - [DATA_EXFILTRATION]: The skill reads and summarizes the user's local directory structure, repository names, and git remote URLs. This information is exposed to the agent's context, which constitutes an exposure of the user's development environment metadata.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from the local filesystem to drive its logic.
- Ingestion points: Repository folder names, git remote URLs, and file contents (e.g.,
DESCRIPTION,Project.toml,.qmd) within subdirectories of~/code/(File: SKILL.md). - Boundary markers: Absent; the instructions do not specify delimiters or warnings to ignore instructions embedded in the discovered metadata.
- Capability inventory: The skill can perform filesystem modifications including renaming, moving, archiving, and deleting directories, as well as updating
~/CLAUDE.md(File: SKILL.md). - Sanitization: Absent; there is no evidence of sanitization or validation of the strings parsed from the local environment before they are processed by the agent.
Audit Metadata