compound-docs
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using variables derived from user input without sufficient validation, creating a risk of command injection.\n
- Evidence: In Option 5 of the Decision Menu, the skill executes
python3 .claude/skills/skill-creator/scripts/init_skill.py [skill-name]. If theskill-nameprovided by a user contains shell metacharacters (e.g.,;,&,|), it could lead to arbitrary command execution.\n - Evidence: Step 6 and Step 7 use Bash commands like
mkdir -p,echo >>, andcat >>with variables likeCATEGORYandFILENAME. While filename sanitization is mentioned, the lack of rigorous validation on other interpolated values remains a concern.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it ingests untrusted data from the conversation and persists it in documentation that influences future agent behavior.\n - Ingestion points: Conversation history is parsed to extract symptoms, root causes, and solutions in Step 2 of SKILL.md.\n
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when parsing or writing the gathered context.\n
- Capability inventory: The skill uses
BashandWritetools to modify the file system (SKILL.md, Tools section).\n - Sanitization: Only the filename is sanitized (Step 4). The content of the documentation and the 'Required Reading' patterns (Option 2) are not sanitized. This allows malicious instructions to be persisted in
cora-critical-patterns.md, which is explicitly stated to be seen by all subagents before code generation.
Audit Metadata