collaborating-with-claude

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The bridge script scripts/claude_bridge.py contains logic to execute the claude CLI. On Windows systems, it attempts to handle .cmd or .bat shims by manually constructing a command string for cmd.exe.
  • Evidence: Line 110 in scripts/claude_bridge.py: resolved = [comspec, "/d", "/s", "/c", " ".join(f'"{arg}"' for arg in resolved)]. This pattern is susceptible to command injection if an argument, such as the prompt, contains unescaped double quotes that break out of the string joining logic.
  • [PROMPT_INJECTION]: As a delegation tool, the skill is susceptible to indirect prompt injection where instructions in project files could influence the behavior of the delegated Claude instance.
  • Ingestion points: The bridge script accepts input through the --PROMPT argument and the --prompt-file path.
  • Boundary markers: The documentation in references/prompt-blocks.md recommends using XML tags like <task> to structure prompts, which serves as a boundary marker.
  • Capability inventory: The delegated Claude CLI possesses significant capabilities, including shell execution (Bash), file system modification (FileWrite), and network access (WebFetch, WebSearch).
  • Sanitization: The bridge script does not perform content sanitization on the prompts, relying instead on the Claude CLI's internal safety filters and user-defined permission modes.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 04:18 PM
Security Audit — agent-trust-hub — collaborating-with-claude