agents-md-generator

The skill appears to be a benign, purpose-aligned tool for generating and updating CLAUDE.md/AGENTS.md instruction files with interactive guidance and multi-stack detection. Its workflow centers on local project analysis, user prompts, and template-based document generation, with explicit safeguards around system prompt alignment. While there is a potential for global prompt overrides to influence behavior, the design includes explicit warnings and user confirmation, reducing the risk. Overall security risk is moderate (0.55) due to the potential for prompt conflicts if not carefully managed, but the threat level remains low given the described controls and absence of external payloads or credential handling in the described flow.

The batch script serves as a launcher for a PowerShell script, constructing and forwarding arguments in a way that could be exploited if the invoked PS script is untrusted or poorly handled. The use of ExecutionPolicy Bypass and direct forwarding of command-line arguments to PowerShell represents a potential security risk, particularly if detect-agent-context.ps1 processes or trusts these inputs without proper validation. There is no explicit malware or backdoor behavior in this fragment, but it introduces a risk of command-line injection or unintended PowerShell execution depending on the PS script’s handling of parameters. Recommended mitigations include validating and sanitizing inputs at the batch level, avoiding ExecutionPolicy Bypass, constraining arguments to expected patterns, implementing signed PS scripts, and auditing detect-agent-context.ps1 for secure handling of incoming parameters.