Skills
skills/garagon/nanostack/nano-doctor/Gen Agent Trust Hub

nano-doctor

Warn

Audited by Gen Agent Trust Hub on May 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: Executes local shell scripts nano-doctor.sh, skill-preamble.sh, and skill-finalize.sh located within the ~/.claude/skills/nanostack/bin/ directory.
  • [REMOTE_CODE_EXECUTION]: Recommends the execution of npx create-nanostack, which downloads and executes remote code from the npm registry at runtime.
  • [COMMAND_EXECUTION]: The --fix functionality modifies the agent's .claude/settings.json to insert PreToolUse hooks for Bash and file-editing tools. These hooks function as persistence mechanisms that automatically trigger scripts whenever those tools are invoked by the agent.
  • [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection via the following characteristics:
  • Ingestion points: The agent is instructed to process the JSON output from nano-doctor.sh and follow the fix_command provided within that output.
  • Boundary markers: The instructions lack boundary markers or guidelines to ignore instructions embedded within the script's output.
  • Capability inventory: The skill possesses capabilities to modify configuration files, change file permissions, and execute shell commands.
  • Sanitization: There is no evidence of sanitization or validation for the commands and parameters parsed from the diagnostic output before they are suggested to or executed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 14, 2026, 06:45 AM