rch
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill configuration and troubleshooting guides involve accessing sensitive user files, specifically SSH private keys such as
~/.ssh/id_rsaand~/.ssh/id_ed25519, as well as the SSH configuration file (~/.ssh/config). These are used to authenticate with remote build workers.\n- [COMMAND_EXECUTION]: The skill's primary function is to intercept and offload local development commands (e.g.,cargo,bun,gcc) to be executed on remote systems via SSH and rsync.\n- [EXTERNAL_DOWNLOADS]: The documentation includes instructions to download and execute the Rust toolchain installer directly from its official domain athttps://sh.rustup.rs.\n- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by installing aPreToolUsehook in the agent's settings (~/.claude/settings.json) that intercepts and processes inputs and outputs for theBashtool.\n - Ingestion points: The hook intercepts command strings intended for the
Bashtool as described inreferences/HOOKS.md.\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are documented for the intercepted strings.\n
- Capability inventory: The skill possesses extensive capabilities including remote command execution, file system access, and network communication.\n
- Sanitization: The provided documentation does not detail any sanitization or validation of the intercepted commands before they are transmitted for remote execution.
Audit Metadata