start-session
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection via repository context files.
- Ingestion points: The skill reads
CLAUDE.md,agents.md, andREADME.md(Step 2). - Boundary markers: Absent. The skill parses sections like
## Project Actionsand## Roadmapwithout any sanitization or isolation markers (Steps 5, 6). - Capability inventory: The skill can execute shell commands (
unison,git) and perform file writes toCLAUDE.md(Guardrails Check 1, 2). - Sanitization: Absent. The agent is instructed to directly parse and report content from these files, which may contain malicious instructions designed to hijack the agent's session.
- [COMMAND_EXECUTION] (HIGH): Executes potentially dangerous system commands.
- Evidence: Step 1 runs
unison folders -batch -terse. Step 4b runs a complex sequence ofgit fetch,comm,grep, andsedusing process substitution. - Risk: The
unisoncommand relies on a local profile named 'folders'. If an attacker can influence the environment or the profile configuration, they could trigger arbitrary file synchronization to a remote machine. The complex shell pipes in Step 4b could be vulnerable to command injection if branch names contain malicious characters and are not properly handled by the shell environment. - [DATA_EXFILTRATION] (MEDIUM): Potential for data exfiltration via synchronization tools.
- Risk: While the skill aims to orient the user, its use of
unisonandgit fetch --pruneinvolves network operations. In a compromised repository context, these could be leveraged to push local project files or metadata to an unauthorized remote server.
Recommendations
- AI detected serious security threats
Audit Metadata