skill
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
/skill setupand/skill scansubcommands implement shell script blocks that usefind,grep, andsedwithin ash -cexecution context. While used for metadata extraction from skill files, executing shell logic on content derived from potentially untrusted project-level or imported files creates an attack surface for command injection if the input is not strictly sanitized. - [EXTERNAL_DOWNLOADS]: The
Import Skillfeature in the setup wizard explicitly supports downloading skill definitions from arbitrary external URLs. This allows for the introduction of unverified code or instructions into the agent's persistent skill storage without source validation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from
SKILL.mdfiles in both user and project scopes. - Ingestion points: File reads in
~/.claude/skills/omc-learned/and.omc/skills/via/skill info,/skill search, and/skill scan. - Boundary markers: Absent; content is displayed directly to the agent context.
- Capability inventory: Includes shell command execution (
mkdir,find), and file read/write operations. - Sanitization: Only basic name validation (lowercase/hyphens) is performed; the content of the skills and the results of shell-based parsing are not sanitized before being returned to the agent.
Audit Metadata