skills/dnyoussef/ai-chrome-extension/when-managing-token-budget-use-token-budget-advisor/Gen Agent Trust Hub
when-managing-token-budget-use-token-budget-advisor
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute external code using the
npx claude-flow@alphacommand across multiple phase instructions. - Evidence: Found in
SKILL.md(Phases 1 and 3) andPROCESS.md(Phases 1, 3, and 5). - Risk: Using
npxto run unverified packages from a public registry at runtime can lead to remote code execution if the package or its dependencies are compromised. - [EXTERNAL_DOWNLOADS]: Fetches and executes the
claude-flowpackage from the public NPM registry at runtime. - Evidence: Multiple shell command examples using
npxto invoke the tool without pre-installation. - [COMMAND_EXECUTION]: Executes shell commands with potential for argument injection when processing user input.
- Evidence:
npx claude-flow@alpha hooks pre-task --description "Planning token budget for [task]"inPROCESS.md. - Risk: The skill interpolates the user-provided
[task]description directly into a shell command argument. Without explicit instructions for sanitization or escaping shell metacharacters (e.g.,;,&,|), a malicious task description could be crafted to execute arbitrary shell commands. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection through untrusted task descriptions.
- Ingestion points: The
taskDescriptionvariable inSKILL.mdused for complexity estimation and phase decomposition. - Boundary markers: Absent. There are no delimiters (e.g., XML tags, triple backticks) or specific instructions to the agent to treat the user-provided task description as data rather than instructions.
- Capability inventory: The agent has access to shell execution (
npx), memory storage, and multi-agent coordination capabilities. - Sanitization: Absent. The skill logic uses regex for classification but does not validate or sanitize the input content before processing or interpolation into commands.
Audit Metadata