Skills
skills/enderfga/openclaw-claude-code-skill/claude-code-skill/Gen Agent Trust Hub

claude-code-skill

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill's core functionality relies on spawning and managing subprocesses for various coding CLIs. The claude_session_start tool includes a customEngine parameter that allows for the execution of any local binary and arguments specified at runtime, which represents a significant capability for arbitrary command execution.
  • [REMOTE_CODE_EXECUTION]: Documentation describes installing the Cursor agent using a curl | bash command from its official website. This pattern fetches and executes a remote script directly in the shell, bypassing standard package management verification processes.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its ability to ingest and process untrusted data from multiple sources.
  • Ingestion points: The skill reads local project files, git worktrees, and external GitHub PR metadata (via the --from-pr flag).
  • Boundary markers: While XML escaping is applied to cross-session inbox messages, no explicit boundary markers or isolation instructions are documented for the processing of codebase files or PR descriptions.
  • Capability inventory: The skill possesses high-privilege capabilities, including subprocess management for multiple engines and the execution of arbitrary binaries via the customEngine tool configuration.
  • Sanitization: There is no evidence of documented sanitization or validation logic for data retrieved from project files or PRs before it is used to influence agent behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 04:14 PM
Security Audit — agent-trust-hub — claude-code-skill