compound-docs
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script located at .claude/skills/skill-creator/scripts/init_skill.py with a user-provided argument [skill-name] in Step 8 (Option 5). While this script is a vendor-owned resource, the use of unvalidated user input directly in a shell command string presents a risk of command injection if the input is not properly sanitized by the underlying execution environment.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its core workflow of persisting data from conversation history and later retrieving it.
- Ingestion points: Conversation history (Step 2) and existing documentation files (Step 3).
- Boundary markers: No specific delimiters or safety instructions are defined in the documentation templates (assets/resolution-template.md) to distinguish between documented content and agent instructions.
- Capability inventory: The skill utilizes Bash (for file operations and searching), Read (for reading files and history), and Write (for creating documentation).
- Sanitization: Filenames are sanitized (Step 4) and frontmatter is validated against a schema (Step 5). However, the documentation body itself, which is read during search operations in Step 3, is not sanitized for potential malicious instructions that could influence the agent's behavior in future sessions.
Audit Metadata