reviewing-plugin-marketplace
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Command Execution (HIGH): The skill instructs the agent to execute a local bash script:
bash scripts/verify-marketplace.sh [marketplace-directory]. Executing opaque scripts bundled with a skill is a high-risk operation as the script content is not audited for malicious commands like file deletion or unauthorized modifications. It also callsgit remote -von user-provided directories. - Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect prompt injection as it processes data from untrusted external sources to guide agent decision-making.
- Ingestion points: The skill reads
.claude-plugin/marketplace.json,.claude-plugin/plugin.json, andREADME.mdfrom arbitrary directories provided by the user. - Boundary markers: Absent. There are no instructions for the agent to distinguish between the data it is reviewing and the instructions it should follow, allowing an attacker to embed 'Ignore previous instructions' or malicious commands within a marketplace config or README.
- Capability inventory: The agent has the capability to execute shell commands (
bash,git) and produce formatted feedback that influences downstream user or agent actions. - Sanitization: Absent. The data from these files is used directly in comparisons and feedback generation without escaping or validation.
Recommendations
- AI detected serious security threats
Audit Metadata