claude
Warn
Audited by Gen Agent Trust Hub on Jul 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
claudecommand-line tool. It explicitly suggests using flags such as--dangerously-skip-permissionsand--permission-mode dontAsk, which disable user confirmation for potentially destructive operations like file edits and shell command execution performed by the sub-agent. - [COMMAND_EXECUTION]: User-provided input is interpolated directly into a shell command string via the
"<prompt>"argument. If the agent does not properly sanitize this input, it could lead to shell command injection if the user includes malicious shell escape characters. - [PROMPT_INJECTION]: The skill acts as a surface for indirect prompt injection (Category 8) by relaying untrusted user instructions to a sub-agent equipped with powerful system tools.
- Ingestion points: User-provided tasks and requests for Claude's assistance found in the conversation context.
- Boundary markers: The skill suggests using XML-style tags like
<task>and<output_contract>to structure the prompt, though these do not prevent adversarial injection. - Capability inventory: The delegated
claudeagent has access toRead,Grep,Glob,Bash, and file-editing capabilities. - Sanitization: No explicit sanitization or validation of the user's task description is performed before it is passed as an argument to the CLI.
Audit Metadata