alma-skill-sync
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): The script reads skill definitions from the user's home directory (~/.claude/skills/). This is the primary intended function and the data is only sent to a local API (localhost:23001), posing no risk of external exfiltration.
- [Indirect Prompt Injection] (LOW): The skill parses SKILL.md files from third-party sources (other installed skills), which could potentially contain malicious metadata designed to manipulate the local Alma API.
- Ingestion points: The get_skill_names function in scripts/sync_to_alma.py reads content from all SKILL.md files in ~/.claude/skills and ~/.claude/plugins.
- Boundary markers: None. The script extracts the name field using a regular expression without validating the content or using delimiters to isolate the metadata.
- Capability inventory: The script is capable of making GET, POST, and DELETE requests to a local REST API, which could be used to create or remove shortcuts in the user's environment.
- Sanitization: The script performs basic string cleaning (trimming and quote removal) but does not sanitize the input against common injection patterns or API-specific escape sequences.
Audit Metadata