health
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes an extensive bash block that utilizes system utilities like
find,grep,python3, andjqto aggregate project data and configuration. It also uses string concatenation (e.g.,_ev='eva''l',_b64='base6''4') when defining security scan patterns, likely to avoid detection by static analysis tools.\n- [DATA_EXFILTRATION]: The skill accesses highly sensitive application data by reading~/.claude/settings.local.json(which may contain MCP server configurations and credentials) and project conversation history logs (.jsonlfiles). This exposure of local configuration and private chat logs is intended for the audit but results in sensitive information being loaded into the agent's context.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) by ingesting untrusted content from the project being audited (rules, other skills, conversation history).\n - Ingestion points: Audits multiple files including
CLAUDE.md,.claude/rules/,.claude/skills/, and previous conversation logs via a central bash collection script.\n - Boundary markers: Data sections are labeled with text headers (e.g.,
=== rules/ ===), but no explicit instructions or delimiters are used to ensure the model disregards instructions embedded within the audited content.\n - Capability inventory: The skill utilizes broad data collection capabilities and initiates subagents that process the collected untrusted data.\n
- Sanitization: No sanitization, escaping, or filtering of the ingested file contents is implemented.
Audit Metadata