plugin-dev-guide

================================================================================

✅ VERDICT: SAFE

This skill is a purely descriptive guide and routing mechanism. It does not contain any executable scripts, external calls, or direct file system operations. Its purpose is to provide an overview of other plugin development skills and help users navigate them based on their needs.

Total Findings: 1

ℹ️ INFO Findings: • Indirect Prompt Injection Susceptibility

• Line 100: The skill processes user input via $ARGUMENTS to route to other skills or answer directly. While the skill itself is benign, any skill that processes user-provided text is inherently susceptible to indirect prompt injection if malicious instructions are embedded in the user's input. This is a general characteristic of interactive AI systems and not a specific vulnerability in this skill's implementation.

================================================================================

Threat Category Analysis:

1. Prompt Injection: No patterns detected. The skill does not attempt to override Claude's behavior or bypass safety guidelines.
2. Data Exfiltration: No patterns detected. The skill does not contain commands to read sensitive files or send data to external servers.
3. Obfuscation: No obfuscation techniques (Base64, zero-width characters, homoglyphs, encoding) were found.
4. Unverifiable Dependencies: No external package installations (npm, pip, yarn) or unverified external script downloads were found. The skill refers to other internal skills and agents.
5. Privilege Escalation: No sudo, doas, chmod, or system file modifications were detected.
6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, crontab) were found.
7. Metadata Poisoning: The skill's frontmatter (name, description) is benign and accurately reflects its purpose.
8. Indirect Prompt Injection: The skill processes user input ($ARGUMENTS). This makes it generally susceptible to indirect prompt injection, as malicious instructions could be embedded in the user's request. This is an inherent risk of interactive AI skills, not a specific vulnerability in the skill's code.
9. Time-Delayed / Conditional Attacks: No conditional logic based on time, usage, or environment to trigger malicious behavior was detected.

Adversarial Reasoning: Given that this skill is purely informational and acts as a router, there are no executable components or external interactions where an attacker could hide malicious code or implement sophisticated evasion techniques. The stated purpose of being a guide aligns perfectly with its content and behavior.