claude-code-config-trailofbits

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill instructs cloning and auto-loading external GitHub repositories and project-level CLAUDE.md files (e.g., ~/.claude/skills and project CLAUDE.md from cloned repos) and explicitly has the agent read/follow those files (e.g., "Run full security audit per CLAUDE.md"), so untrusted third-party content can directly influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs cloning and auto-loading skills from https://github.com/trailofbits/skills.git (and the alternative https://github.com/trailofbits/skills-curated.git), which are fetched and then auto-loaded by Claude Code at runtime to define agent skills/behaviors (i.e., content that directly controls prompts/instructions), so this is a high-confidence runtime external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill largely gives user-level setup steps (copying files to ~/.claude, installing tools via brew/cargo/npm) and does not instruct the agent to create users or run sudo, but it explicitly recommends and documents a "claude-yolo" alias that runs the agent with --dangerously-skip-permissions (bypassing permission safeguards) and advises bypassing deny rules—encouraging disabling safety controls that could let the agent access or modify sensitive host state.