component-architect
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and 'remediate' other skills and agents located in ~/.claude. This creates a critical vulnerability surface where a malicious component (e.g., from a cloned repository) can provide instructions that override the architect's behavior during the audit phase.\n
- Ingestion points: scripts/validate-component.sh, scripts/audit-components.py (reads all markdown and JSON files in ~/.claude subdirectories).\n
- Boundary markers: None detected; the skill treats extracted frontmatter as data but uses a high-reasoning model (Sonnet) to interpret and 'fix' it.\n
- Capability inventory: Write, Edit, Bash, WebFetch, and the ability to spawn subagents.\n
- Sanitization: None; the scripts parse YAML/JSON but the resulting content is fed back into the agent's context for 'Architecture Enforcement'.\n- Data Exposure (HIGH): The skill has broad access to the ~/.claude directory, which contains sensitive configurations, lifecycle hooks, and instructions for all other agents and skills. Given the skill also has 'WebFetch' permissions, an indirect prompt injection could easily lead to the exfiltration of the user's entire agent configuration suite.\n- Persistence Mechanisms (MEDIUM): The skill implements PreToolUse and PostToolUse hooks that trigger on any 'Write' or 'Edit' operation. This ensures that the skill's logic (and any potentially injected logic) remains active and executes automatically whenever the agent modifies files, effectively maintaining a persistent presence across sessions.
Recommendations
- AI detected serious security threats
Audit Metadata