invoice-generator
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute the 'open' command on file paths derived from user-provided client names (e.g., 'open invoices/{client_slug}_{NNN}.html'). Although it includes a directive to 'slugify' the name by replacing special characters with hyphens, this pattern relies on the agent's adherence to instructions to prevent shell command injection.
- [DATA_EXFILTRATION]: The skill collects and stores high-sensitivity personally identifiable information (PII), including the contractor's full name, physical address, phone number, and email address, in a local configuration file at '.claude/invoice-generator.local.md'. While the data is stored locally for legitimate reuse, the consolidation of PII creates an exposure surface.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from the user (client names, addresses, line items, and notes) and interpolates it directly into an HTML template ('assets/invoice-template.html'). Ingestion points: User input via AskUserQuestion. Boundary markers: Absent; input is placed directly into template placeholders. Capability inventory: Shell command execution ('open'), file system read/write. Sanitization: Partial; the skill specifies slugification for filenames but lacks instructions for escaping HTML entities within the invoice content, potentially allowing for XSS or layout manipulation.
Audit Metadata