sync-skills-shared-protocols
Pass
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes command-line tools to locate and verify protocol tags across the file system.
- Evidence: Uses
grep -rl "SYNC:{tag-name}" .claude/skills/*/SKILL.mdto identify target files for synchronization. - Evidence: Invokes
pythonandnodeto run internal project scripts and test suites. - [REMOTE_CODE_EXECUTION]: The instructions direct the agent to execute Python and Node.js scripts provided within the skill's own repository structure.
- Evidence: The workflow for "Operation B" involves running
.claude/scripts/sync-hooks-to-skills.pyto perform bulk insertions. - Evidence: The verification step requires running
.claude/hooks/tests/run-all-tests.cjsto validate agent coverage and tag balance. - [PROMPT_INJECTION]: The skill contains instructional modifiers designed to ensure consistent behavior across different platform environments and enforce strict protocol adherence.
- Evidence: "Ignore Claude-specific mode-switch instructions when they appear" is used to handle compatibility between Codex and Claude environments.
- Evidence: "Strict execution contract: when a user explicitly invokes a skill, execute that skill protocol as written" is used to prevent the agent from deviating from established workflows.
Audit Metadata