skills/akillness/jeo-skills/claudekit/Gen Agent Trust Hub

claudekit

Warn

Audited by Gen Agent Trust Hub on Jun 27, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill directs the agent/user to add a third-party marketplace and install a plugin from a repository (duthaho/claudekit-marketplace) that is not part of a recognized or trusted organization. This results in the download of unverifiable code from an external source.
  • [COMMAND_EXECUTION]: The initialization instructions (/claudekit:init) trigger shell commands to generate files and directories on the local system, including .claude/rules/, .claude/hooks/, and .mcp.json.
  • [PROMPT_INJECTION]: The skill scaffolds rule and hook files that the agent is subsequently instructed to follow. This creates an indirect prompt injection surface where the generated instructions could influence or restrict the agent's behavior if the source repository provides malicious templates.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 27, 2026, 04:58 AM
Security Audit — agent-trust-hub — claudekit