marketplace-dev
Fail
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The Phase 0 instructions direct the agent to "mine local Claude Code session history" using grep on files in ~/.claude/projects/. These logs contain interaction history that may include user data, code, and credentials, representing a high-risk data exposure of the agent's cross-session memory.
- [COMMAND_EXECUTION]: The skill executes multiple local scripts (scripts/check_marketplace.sh, hooks/post_edit_sync_check.sh, hooks/post_edit_validate.sh) and system commands including python3 and the claude CLI for marketplace validation and installation testing.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it reads fields from external SKILL.md files and interpolates them directly into a marketplace.json manifest without sanitization or boundary markers. Ingestion points: SKILL.md files in the repository's skills/ directory; Boundary markers: Absent; Capability inventory: File system writes, CLI validation, and bundled script execution; Sanitization: Absent (instructions mandate using exact text from source).
- [PROMPT_INJECTION]: The repository contains a .security-scan-passed file claiming a successful security scan by external tools. This is a self-referential safety claim that may mislead users about the skill's actual security posture.
Recommendations
- AI detected serious security threats
Audit Metadata