PAI
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill design centralizes highly sensitive PII and instructs the agent to maintain this context proactively, creating a significant attack surface for indirect injection.
- Ingestion points: The agent is instructed to load
SKILL.mdfor "comprehensive tasks," which includes private contact lists and social media data. - Boundary markers: Absent. There are no instructions to isolate this sensitive context when the agent is processing untrusted external data (e.g., reading a website or an email).
- Capability inventory: The skill mentions file system operations (writing to
~/.claude/scratchpad/), Git command execution (git remote -v), and general shell access (datecommand). - Sanitization: Absent. There is no logic to filter or protect the stored PII from being leaked if a malicious prompt is encountered in external data.
- [Data Exposure & Exfiltration] (MEDIUM): The skill explicitly targets the
~/.claude/directory, which is noted as containing "EXTREMELY SENSITIVE PRIVATE DATA." While the skill provides warnings to the user about Git safety, the centralization of this data in a format accessible to the AI's context window facilitates exfiltration if the agent is compromised by a malicious prompt. - [Prompt Injection] (LOW): The skill uses strong imperative language ("MUST BE USED proactively," "CRITICAL," "ALWAYS USE") to dictate agent behavior and response formatting. While currently used for template structure, this style of instruction can be leveraged in more malicious contexts to override system safety protocols.
Recommendations
- AI detected serious security threats
Audit Metadata