sync-knowledge
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to ingest data from untrusted sources, such as project documentation (README, docs/) and session logs, and write that data into permanent knowledge base skills.
- Ingestion points: Project documents, session history, and README files.
- Boundary markers: Absent; the skill does not specify delimiters to separate untrusted content from the instructions used to update the files.
- Capability inventory: File system read and write access to the agent's internal configuration directory (~/.claude/skills/).
- Sanitization: Absent; the skill relies on natural language instructions for the agent to skip secrets, but lacks programmatic sanitization of the input content.
- [COMMAND_EXECUTION]: The skill performs file system operations (read and write) on the agent's internal configuration directory (~/.claude/skills/). Modifying these files allows for persistent changes to the agent's behavior, which could be exploited to maintain malicious activity across different projects and sessions.
Audit Metadata