Skills
skills/codealive-ai/ai-driven-development/settings-management/Gen Agent Trust Hub

settings-management

Pass

Audited by Gen Agent Trust Hub on May 4, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill documents several settings that enable arbitrary shell command execution. For Claude Code, this includes apiKeyHelper (executes scripts in /bin/sh), hooks (runs commands before or after tool use), statusLine, and fileSuggestion commands. Codex CLI is similarly documented as supporting lifecycle hooks that execute system commands.
  • [DATA_EXFILTRATION]: The skill manages files (settings.json, config.toml, opencode.json) that frequently contain sensitive data like API keys, tokens, and environment variables. Additionally, the OpenCode reference documents a 'Variable Substitution' feature ({file:path/to/file}) that can be used to inject the contents of arbitrary local files into the agent's configuration or prompts.
  • [PROMPT_INJECTION]: The skill provides instructions on how to modify the agent's permission systems. This includes documentation for bypassPermissions mode (which disables most checks) and the ability to modify allow/deny rules for file access and web fetching, creating a surface for an agent to be instructed to weaken its own security posture.
  • [REMOTE_CODE_EXECUTION]: Documentation for OpenCode (v1.14.x) describes a plugin field that accepts npm packages. This represents a remote code execution surface if an agent is instructed to add untrusted or malicious packages to the configuration.
  • [INDIRECT_PROMPT_INJECTION]: The skill defines a workflow for reading and merging configuration data from local and project files. This creates a surface where an attacker-controlled file (e.g., a project's .claude/settings.json in a malicious repo) could be merged into the user's global settings, potentially injecting malicious hooks or relaxing permissions without explicit user intent.
  • Ingestion points: Reads from ~/.claude/settings.json, .claude/settings.json, ~/.codex/config.toml, ~/.config/opencode/opencode.json, and project root configuration files.
  • Boundary markers: None specified for the data ingestion process beyond standard JSON/TOML parsing.
  • Capability inventory: The skill allows writing to configuration files that control shell command execution, file system access, and plugin installation.
  • Sanitization: The skill recommends validating JSON before writing but does not specify validation of the content or intent of the configuration changes.
Audit Metadata
Risk Level
SAFE
Analyzed
May 4, 2026, 11:48 PM