genshijin-compress
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads the contents of local files and transmits them to the Anthropic API or the 'claude' CLI for processing. While this involves data transfer to a third-party service, it is the primary intended function of the token-reduction tool. The skill implements a security filter in
scripts/compress.pyusing theis_sensitive_pathfunction to prevent the accidental upload of sensitive files such as SSH keys, environment configurations, and credential files. - [COMMAND_EXECUTION]: The script
scripts/compress.pyutilizessubprocess.runto call the external 'claude' CLI tool. The command is constructed with a static list of arguments, which prevents shell command injection. This is used as a fallback if the primary Python API client is not available. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it ingests untrusted data from local files into an LLM prompt.
- Ingestion points: File content is read via
filepath.read_text()inscripts/compress.pyand passed to the LLM. - Boundary markers: The prompt uses a simple text label without robust delimiters or instructions to ignore embedded commands in the source file.
- Capability inventory: The skill has the capability to overwrite local files via
filepath.write_text()and execute CLI tools. - Sanitization: The skill mitigates risks through a post-processing validation step in
scripts/validate.py, which ensures that the compressed output maintains the original file's structure, including headings, URLs, and code blocks, reverting changes if discrepancies are detected.
Audit Metadata