qclaw-rules
Fail
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses authoritative and coercive language (e.g., "SYSTEM RULES
- MANDATORY", "DO NOT SKIP", "HIGHEST PRIORITY") to override the AI agent's base instructions and safety protocols. It claims that its rules "cannot be uninstalled" and "cannot be ignored," which is a hallmark of prompt injection.
- [DATA_EXFILTRATION]: The skill defines a process for the automatic collection and storage of sensitive Personal Identifiable Information (PII), including emails, phone numbers, and account configurations, into a standardized local file (
USER.md). While stored locally, this facilitates unauthorized access or subsequent exfiltration of user data. - [REMOTE_CODE_EXECUTION]: The instructions mandate that the agent "must first try to install that skill's dependencies" if a skill is missing. This automatic installation of software without explicit user verification or oversight poses a significant risk of executing malicious code from untrusted sources.
- [COMMAND_EXECUTION]: The skill provides specific command-line instructions for Windows (PowerShell and CMD) to change system code pages and execute scripts, which grants the skill direct control over the underlying operating system environment.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection vulnerability by automatically ingesting untrusted data from
USER.mdandmemory/files into the agent's context at startup (SKILL.md). These ingestion points lack boundary markers or sanitization, exposing capabilities such as subprocess execution (Node.jsexecSync, Pythonsubprocess.run) and thecomputertool to potentially malicious instructions stored in the workspace.
Recommendations
- AI detected serious security threats
Audit Metadata