lyft-engineer
Fail
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill directs users to fetch its core instructions from a remote GitHub repository (raw.githubusercontent.com/lucaswhch/...). This source is not part of the established trusted organizations, posing a risk of remote instruction injection if the repository is compromised.
- [COMMAND_EXECUTION]: The installation section in
SKILL.mdprovides a shell command (echo ... >> ~/.claude/CLAUDE.md) to modify the local filesystem, which is a high-risk operation. - [PERSISTENCE_MECHANISMS]: The skill establishes persistence by instructing the agent to append a remote URL to its configuration file (
~/.claude/CLAUDE.md). This ensures that the agent automatically fetches and applies potentially changing remote instructions in every future session without further user intervention. - [METADATA_POISONING]: The skill includes multiple evaluation reports (
EVALUATION_REPORT.mdandlyft-engineer/EVALUATION_REPORT.md) that use authoritative-sounding language to claim a '9.5/10' excellence score and 'SAFE' status. These files appear designed to bypass security reviews or mislead users about the skill's integrity. - [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted user prompts to generate architectural designs and matching algorithms. It lacks explicit boundary markers or sanitization instructions, creating a surface where malicious user input could influence the agent's logic during design tasks.
- Ingestion points: User queries for system design scenarios in
SKILL.md. - Boundary markers: None identified.
- Capability inventory: Local file modification via shell commands.
- Sanitization: None identified.
Recommendations
- AI detected serious security threats
Audit Metadata