project-directory-migration
Fail
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The migration script
scripts/claude-code-migrate.shcontains a command injection vulnerability where user-supplied directory paths are interpolated directly into Python scripts executed viapython3 -c. A maliciously crafted path containing single quotes and Python code (e.g.,'); import os; ...) can bypass the intended string boundaries and execute arbitrary commands with the user's permissions. This pattern is found in Phases 4, 5, and 8 of the script. - [COMMAND_EXECUTION]: The script performs an unsafe trust operation in Phase 8 by automatically running
mise truston the target directory path. This grants immediate trusted status to environment configuration files (like.mise.toml) in the new directory without user verification. If the target directory contains malicious configuration, this enables automatic code execution the next time a tool is used in that directory, bypassing security controls of the environment manager.
Recommendations
- AI detected serious security threats
Audit Metadata