collaborating-with-claude
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bridge script
scripts/claude_bridge.pycontains logic to execute theclaudeCLI. On Windows systems, it attempts to handle.cmdor.batshims by manually constructing a command string forcmd.exe. - Evidence: Line 110 in
scripts/claude_bridge.py:resolved = [comspec, "/d", "/s", "/c", " ".join(f'"{arg}"' for arg in resolved)]. This pattern is susceptible to command injection if an argument, such as the prompt, contains unescaped double quotes that break out of the string joining logic. - [PROMPT_INJECTION]: As a delegation tool, the skill is susceptible to indirect prompt injection where instructions in project files could influence the behavior of the delegated Claude instance.
- Ingestion points: The bridge script accepts input through the
--PROMPTargument and the--prompt-filepath. - Boundary markers: The documentation in
references/prompt-blocks.mdrecommends using XML tags like<task>to structure prompts, which serves as a boundary marker. - Capability inventory: The delegated Claude CLI possesses significant capabilities, including shell execution (
Bash), file system modification (FileWrite), and network access (WebFetch,WebSearch). - Sanitization: The bridge script does not perform content sanitization on the prompts, relying instead on the Claude CLI's internal safety filters and user-defined permission modes.
Audit Metadata