Skills
skills/baphomet480/claude-skills/gemini-use-claude-acp/Gen Agent Trust Hub

gemini-use-claude-acp

Fail

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script claude-delegate.mjs sets the environment variable CLAUDE_CODE_SKIP_PERMISSIONS to 1. This configuration instructs the delegated Claude agent to execute all tool calls—including arbitrary shell commands and file system modifications—without requiring manual user confirmation.
  • [EXTERNAL_DOWNLOADS]: The skill uses pnpm dlx to download and execute the @zed-industries/claude-code-acp package from the npm registry at runtime.
  • [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by accepting arbitrary input text and passing it to an agent session with elevated, unattended tool access.
  • Ingestion points: Command-line arguments passed to claude-delegate.mjs are joined into the final prompt text.
  • Boundary markers: None; the prompt text is interpolated directly into the message without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The delegated agent has access to Claude Code's native capabilities, including full filesystem access and shell command execution, with auto-approval enabled.
  • Sanitization: No validation or sanitization is performed on the input prompt text.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 12, 2026, 07:07 AM