ljg-skill-map
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local shell script (
scripts/scan.sh) that performs automated filesystem traversal using common utilities likesed,grep, andtr. - [DATA_EXFILTRATION]: The skill systematically reads and extracts metadata from all files matching
~/.claude/skills/*/SKILL.md. This represents a data exposure risk as it allows the agent to inventory all installed extensions and their internal descriptions, though this is aligned with the skill's primary stated purpose. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the metadata it processes.
- Ingestion points: Data is ingested from the
nameanddescriptionfields of externalSKILL.mdfiles located in the~/.claude/skills/directory. - Boundary markers: Absent. The data is parsed into JSON and then rendered directly into the agent's conversation context without delimiters or warnings to the agent that the content is untrusted.
- Capability inventory: The agent processes this untrusted text to categorize skills and generate an ASCII visualization, meaning malicious instructions in a scanned file could potentially influence the agent's behavior during or after rendering.
- Sanitization: The script performs basic character escaping to ensure valid JSON output, but it does not sanitize the actual text content for instructional patterns or malicious payloads.
Audit Metadata