code-mode
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local configuration files including
~/.claude.jsonand~/.claude/plugins/installed_plugins.json. These files are used by the Claude Code tool to store server configurations, which often include authentication tokens, API keys, and sensitive environment variables. - [COMMAND_EXECUTION]: The skill is designed to spawn local child processes for MCP servers using the 'stdio' transport. It executes commands and arguments retrieved from the local configuration files without additional validation.
- [REMOTE_CODE_EXECUTION]: The skill employs a dynamic execution pattern where it programmatically generates TypeScript files (e.g.,
_run.ts) in the/tmp/claude-code-mode/directory and executes them using the Bun runtime. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by processing data from external MCP tools and using it to influence script logic or subsequent tool calls.
- Ingestion points: Data enters the agent's context through
client.callToolresults inSKILL.mdandexamples.md(e.g., Figma file content). - Boundary markers: The skill lacks explicit boundary markers or instructions to the agent to ignore embedded instructions within tool outputs.
- Capability inventory: The skill has access to shell execution, network requests via HTTP/SSE transports, and file system operations.
- Sanitization: Tool outputs are treated as trusted data and used directly in logic (e.g., finding target node IDs) or passed to other tools without sanitization.
Recommendations
- AI detected serious security threats
Audit Metadata