craftcms-ops
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The content is dedicated to technical documentation, code snippets, and architectural guidelines for Craft CMS 5 development, matching its stated purpose.
- [METADATA_POISONING]: There is a discrepancy between the author identifier provided in the context (0xdarkmatter) and the author field in the skill metadata (claude-mods), which may lead to confusion regarding the skill's origin.
- [INDIRECT_PROMPT_INJECTION]: The skill provides instructions for the agent to retrieve and process data from a Craft CMS database (e.g., via element queries in references/twig-and-queries.md and GraphQL in references/graphql-and-plugins.md). This creates an attack surface where an attacker who has compromised the CMS content could attempt to influence the agent's actions through embedded instructions.
- Ingestion points: Data retrieved via craft.entries() queries and GraphQL entries queries as documented in references/twig-and-queries.md and references/graphql-and-plugins.md.
- Boundary markers: No instructions are provided to the agent to treat retrieved content as untrusted or to use delimiters.
- Capability inventory: The skill is configured with Bash, Read, and Write tool permissions in SKILL.md, which could be misused if the agent obeys instructions embedded in fetched content.
- Sanitization: The provided Twig and PHP examples do not demonstrate sanitization of external data before use.
- [SAFE]: External resource references point to official project documentation at craftcms.com and reputable ecosystem sites like putyourlightson.com.
Audit Metadata