collab
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the system shell to perform git operations (
git branch,git checkout,git commit,git push,git rebase). - [COMMAND_EXECUTION]: The
/collab publishand/collab promotecommands execute multi-step scripts includingpnpm build,pnpm test:all,pnpm verify, andpnpm drone:restart. These commands execute scripts defined in the repository'spackage.json. - [COMMAND_EXECUTION]: The skill installs git hooks via
pnpm hooks:install, which symlinks scripts fromcoordination/git-hooks/into.git/hooks/. These hooks execute automatically during git operations, creating a mechanism for persistence and arbitrary code execution within the developer's environment. - [DATA_EXFILTRATION]: The skill interacts with sensitive file paths outside the immediate working directory. Specifically, it copies configuration files to
C:\Users\Chris\.claude\skills\teslasoft\SKILL.mdand~/.claude/skills/teslasoft/SKILL.md(via WSL). Accessing and modifying the user's global.claudeconfiguration directory is a high-privilege action for a skill. - [DATA_EXFILTRATION]: The
/collab publishand/collab checkpointcommands push local data to a remote repository. The remote is determined dynamically (git remote | head -1), which could be used to exfiltrate code or metadata to an unintended remote if a repository is misconfigured or malicious. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. It reads and displays git branch names and commit messages in an ASCII 'Collaboration Dashboard' and via status commands. These fields, which can be controlled by external contributors in a shared repository, are processed and rendered back to the agent without explicit sanitization, potentially influencing the agent's behavior during session transitions.
Audit Metadata