Skills
skills/aradotso/claude-code-skills/claude-code-showcase/Gen Agent Trust Hub

claude-code-showcase

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill references and utilizes official tools and packages from trusted organizations and well-known registries.
  • Evidence: Implementation examples utilize @anthropic/claude-code, @anthropic/mcp-jira, and prettier via npx execution.
  • [COMMAND_EXECUTION]: Defines project-specific hooks and shell scripts that execute commands for workflow automation and branch protection.
  • Evidence: Implementation of PreToolUse and PostToolUse hooks in .claude/settings.json, and the prompt evaluation script in .claude/hooks/skill-eval.sh.
  • [PROMPT_INJECTION]: The skill establishes an attack surface for indirect prompt injection by ingesting and processing data from external sources.
  • Ingestion points: Pull request details via gh pr view in .claude/commands/pr-review.md and Jira issue details via MCP in .claude/commands/ticket.md.
  • Boundary markers: Absent; the templates do not include explicit delimiters or instructions to ignore embedded commands in the external data.
  • Capability inventory: The configured environment allows npx, npm, git, node, cat, grep, and find as specified in allowedCommands.
  • Sanitization: No explicit sanitization or validation of the fetched external content is performed before the agent processes the data.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 07:28 AM
Security Audit — agent-trust-hub — claude-code-showcase