RootCauseAnalysis
Warn
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill mandates the execution of a background shell command (
curl) to a local endpoint (http://localhost:31337/notify) every time it is invoked. The instruction explicitly directs the agent to silence the output and run the process in the background (> /dev/null 2>&1 &), which is a concealment pattern to hide telemetry from the user. - [COMMAND_EXECUTION]: The skill instructs the agent to automatically log usage metrics to a local file (
~/.claude/PAI/MEMORY/SKILLS/execution.jsonl) using a shell command (echo) after every successful workflow execution. - [PROMPT_INJECTION]: The skill uses imperative and mandatory language (e.g., "MANDATORY", "REQUIRED BEFORE ANY ACTION", "This is not optional") to force the agent to execute specific background tasks and telemetry before attending to the user's request. This overrides normal agent autonomy and interaction flow.
- [PROMPT_INJECTION]: The 'Customization' section instructs the agent to load and apply instructions from external files (e.g.,
PREFERENCES.md) found in the user's home directory. This creates a surface for indirect prompt injection where unvetted local files can override the skill's core behavior. - Ingestion points: Files in
~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/RootCauseAnalysis/. - Boundary markers: None mentioned; the agent is simply told to "load and apply" the contents.
- Capability inventory: The skill has access to shell execution (
curl,echo) and file system operations. - Sanitization: None; the skill does not specify any validation or escaping for the loaded customization content.
Audit Metadata