setup
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill performs git clones of multiple repositories from an untrusted GitHub user account (
spm1001/claude-suite,spm1001/todoist-gtd,spm1001/claude-mem). - REMOTE_CODE_EXECUTION (HIGH): After cloning, the skill immediately executes code from these repositories, including Python scripts for authentication (
todoist.py auth) and synchronization tools (uv run mem scan). There is no verification of the downloaded content before execution. - PERSISTENCE MECHANISMS (HIGH): The skill installs shell scripts into
~/.claude/hooks/and~/.claude/scripts/. These directories are typically used for session lifecycle hooks, meaning code from the untrusted repository will be automatically executed in future sessions. - COMMAND_EXECUTION (MEDIUM): The skill uses
ln -sfto symlink arbitrary directories and scripts into the agent's configuration path, allowing the external repository to dictate which executable files are active in the environment. - INDIRECT PROMPT INJECTION (LOW): The installation of 'behavioral skills' and 'memory' tools creates a large attack surface where external data (like Todoist tasks or session history) can influence agent behavior. Evidence:
- Ingestion points:
~/.claude/skills/mem(SKILL.md) - Boundary markers: None present in the setup script.
- Capability inventory: Subprocess calls (via scripts), network access (via todoist API), and file-write capabilities.
- Sanitization: None detected in the setup process.
Recommendations
- AI detected serious security threats
Audit Metadata