PAIUpgrade

Pass

Audited by Gen Agent Trust Hub on Jun 30, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses Tools/Anthropic.ts and Workflows/Upgrade.md to fetch data from numerous external sources, including official Anthropic domains (anthropic.com, docs.claude.com), GitHub, and Model Context Protocol documentation. These downloads are performed from well-known and trusted technology services and are used exclusively for monitoring updates.
  • [COMMAND_EXECUTION]: Multiple workflow files and the primary SKILL.md contain instructions to execute shell commands. This includes curl requests to localhost:31337 for voice notifications, yt-dlp for extracting YouTube video metadata, and the gh (GitHub CLI) for repository searching. These commands are localized to the system or target official APIs.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted external data that an attacker could control, such as YouTube transcripts or GitHub README files, and processes this content to generate 'recommendations'.
  • Ingestion points: Workflows/Upgrade.md (Step 2, Agents 2 and 4) reads content from YouTube transcripts and GitHub README files.
  • Boundary markers: The instructions do not explicitly mandate wrapping the ingested external content in security delimiters or 'ignore' warnings.
  • Capability inventory: The skill has extensive access to the local filesystem (~/.claude/PAI/) and the ability to execute shell commands (curl, bun, yt-dlp, gh).
  • Sanitization: No explicit sanitization or filtering of the external technical content is described before it is provided to the agent for analysis.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 30, 2026, 03:33 PM
Security Audit — agent-trust-hub — PAIUpgrade