Skills
skills/indranilbanerjee/digital-marketing-pro/engagement-workflow/Gen Agent Trust Hub

engagement-workflow

Warn

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DYNAMIC_EXECUTION]: The skill constructs shell commands by interpolating unvalidated user inputs directly into string templates executed via the Bash tool.
  • Evidence: Subcommands like /digital-marketing-pro:engagement start and add-stone-fact use variables such as {brand-slug}, {engagement-id}, and {fact-json} inside shell command strings (e.g., python ${CLAUDE_PLUGIN_ROOT}/scripts/engagement-state.py init --brand {brand-slug}).
  • Risk: Maliciously crafted inputs containing shell metacharacters (e.g., ;, $(...), or `) or single quotes could break out of the intended command structure to execute arbitrary code on the host machine.
  • [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill's core logic and persistence are delegated to an external script, engagement-state.py, which is not part of the analyzed skill definition.
  • Evidence: All primary subcommands rely on executing python ${CLAUDE_PLUGIN_ROOT}/scripts/engagement-state.py.
  • Risk: This creates a dependency on an external executable that operates with the agent's full system permissions, making the security of the skill entirely dependent on the unverified contents of that script.
  • [INDIRECT_PROMPT_INJECTION]: The workflow ingests and processes untrusted data from the 'Client Validation Document' (Part 5) to influence the behavior of the 'Decision Matrix' and downstream content generation.
  • Ingestion points: SKILL.md processes findings with ACCEPT/REJECT/EDIT/DEFER options provided by users or external clients.
  • Capability inventory: The skill has Bash, Write, and Edit permissions, and triggers further production skills like four-core-documents based on this input.
  • Sanitization: There is no evidence of sanitization or boundary markers to prevent instructions embedded within the client feedback from overriding the agent's logic during the v2 re-run phase.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses and manages sensitive application data in the user's home directory.
  • Evidence: Accesses ~/.claude-marketing/brands/{brand-slug}/profile.json and manages state in _engagement.json.
  • Risk: While consistent with the skill's stated purpose, the pattern of reading structured data from the home directory and passing it to a script via command-line arguments increases the surface area for potential data leakage or manipulation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 20, 2026, 12:41 AM
Security Audit — agent-trust-hub — engagement-workflow