PAIUpgrade
Pass
Audited by Gen Agent Trust Hub on Jun 30, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
Tools/Anthropic.tsandWorkflows/Upgrade.mdto fetch data from numerous external sources, including official Anthropic domains (anthropic.com, docs.claude.com), GitHub, and Model Context Protocol documentation. These downloads are performed from well-known and trusted technology services and are used exclusively for monitoring updates. - [COMMAND_EXECUTION]: Multiple workflow files and the primary
SKILL.mdcontain instructions to execute shell commands. This includescurlrequests tolocalhost:31337for voice notifications,yt-dlpfor extracting YouTube video metadata, and thegh(GitHub CLI) for repository searching. These commands are localized to the system or target official APIs. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted external data that an attacker could control, such as YouTube transcripts or GitHub README files, and processes this content to generate 'recommendations'.
- Ingestion points:
Workflows/Upgrade.md(Step 2, Agents 2 and 4) reads content from YouTube transcripts and GitHub README files. - Boundary markers: The instructions do not explicitly mandate wrapping the ingested external content in security delimiters or 'ignore' warnings.
- Capability inventory: The skill has extensive access to the local filesystem (
~/.claude/PAI/) and the ability to execute shell commands (curl,bun,yt-dlp,gh). - Sanitization: No explicit sanitization or filtering of the external technical content is described before it is provided to the agent for analysis.
Audit Metadata