wrap-up-session
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is highly vulnerable as it bases its behavior on untrusted content from CLAUDE.md and repository files. Evidence Chain: 1. Ingestion points: CLAUDE.md (type, instructions), git history, and all modified repository files. 2. Boundary markers: Absent; the agent is instructed to 'infer' accomplishments directly from data. 3. Capability inventory: Execution of unison (file sync), git push/commit, and arbitrary shell commands for tests/linting. 4. Sanitization: None; input is directly interpolated into agent reasoning.
- Command Execution (HIGH): The skill automatically executes tests and linting tools within the local environment based on the repository type. This allows an attacker to achieve arbitrary code execution by placing malicious commands in a project's test scripts or linting configuration.
- Data Exfiltration (MEDIUM): The integration of the 'unison' tool for folder synchronization enables the automated transfer of the entire repository content to a remote machine. Without strict destination validation, this pattern can be used to exfiltrate sensitive data or code.
- External Downloads (LOW): The skill relies on the 'unison' binary, which is a non-standard dependency that might require untrusted installation steps or network access to acquire.
Recommendations
- AI detected serious security threats
Audit Metadata