Skills
skills/clementwalter/claudine/biweekly-report/Gen Agent Trust Hub

biweekly-report

Warn

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to construct and execute shell commands using variable parameters provided by the user or fetched from external sources without explicit validation or sanitization instructions.
  • Evidence: uv run ~/.claude/skills/slack-user-cli/scripts/slack_user_cli.py read <channel> --limit 100 in SKILL.md.
  • Evidence: gh pr list --repo <org/repo> ... and gh issue list --repo <org/repo> ... in SKILL.md.
  • Risk: Malicious input for the <channel>, <org/repo>, or <keywords> variables containing shell metacharacters (e.g., ;, &&, |) could result in arbitrary command execution on the host system.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from Slack and GitHub and processes it as part of its reasoning and generation task without security boundaries.
  • Ingestion points: Slack messages (via slack_user_cli.py) and GitHub PR/Issue titles/metadata (via gh CLI) in SKILL.md.
  • Boundary markers: The instructions lack delimiters (like XML tags or triple quotes) or explicit system-level warnings to the agent to ignore any instructions embedded within the fetched Slack or GitHub content.
  • Capability inventory: The skill has access to the Bash tool, which increases the impact if the agent is tricked into following instructions found in external data.
  • Sanitization: There is no evidence of sanitization, filtering, or escaping of external content before it is processed by the model to generate the report.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 28, 2026, 11:13 PM
Security Audit — agent-trust-hub — biweekly-report