plugins
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates downloading and installing extensions from external Git repositories via the
/plugins addcommand. While this allows for remote code acquisition, the behavior is the primary stated purpose of the tool. Example references include the official Claude plugins repository and the author's own infrastructure. - [COMMAND_EXECUTION]: The skill utilizes several system commands including
git clone,jq,yq, andnodeto manage the lifecycle of plugins. It also generates a shell script (setup-plugins.sh) for reproducing environments, which requires manual execution by the user. - [DATA_EXFILTRATION]: The skill accesses local agent configuration files, such as
installed_plugins.jsonandknown_marketplaces.json, located in the agent's home directory. This data exposure is limited to reading metadata for the purpose of generating a unified manifest and does not involve sending data to unauthorized external endpoints. - [PROMPT_INJECTION]: The skill possesses a surface for Indirect Prompt Injection (Category 8) as it parses
SKILL.mdfiles from external repositories. - Ingestion points:
/plugins addand/plugins syncread external markdown and YAML content from local and remote paths. - Boundary markers: The implementation logic focuses on YAML syntax validation but does not explicitly document boundary markers to isolate instructions within processed files.
- Capability inventory: The agent has access to shell execution (
bash), file system writes, and network operations (git). - Sanitization: Basic YAML schema validation is performed, but no deep sanitization of natural language instructions in external skills is mentioned.
Audit Metadata