organize
Warn
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands such as
ls -lafor initial reconnaissance and implied management commands for creating, moving, renaming, and deleting files. - [DATA_EXFILTRATION]: The skill explicitly includes scanning and processing of hidden files and directories (e.g.,
.git,.env,.claude) and uses MD5 comparisons to verify duplicates. This involves reading the contents of potentially sensitive files containing credentials or configuration, which is a significant exposure risk despite being relevant to the skill's primary purpose. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it processes filenames and directory structures, which are untrusted external data. A malicious filename could be crafted to influence the agent's behavior during the analysis or planning phases.
- Ingestion points: Local directory listings and filenames read via
ls -la(SKILL.md). - Boundary markers: Absent; the agent is not instructed to use delimiters or ignore instructions found within filenames.
- Capability inventory: Full file management capabilities including move, rename, and delete operations across the target directory.
- Sanitization: The skill mitigates risk by enforcing a mandatory human-in-the-loop checkpoint, requiring user approval before any destructive actions are performed.
Audit Metadata