Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/analyzing-security-headers/Gen Agent Trust Hub

analyzing-security-headers

Warn

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DYNAMIC_EXECUTION]: The script scripts/generate_report.py contains a generate_script method that writes arbitrary content to a shell script file (.sh). Evidence: scripts/generate_report.py lines 71-88.
  • [PRIVILEGE_ESCALATION]: The generate_script method in scripts/generate_report.py explicitly grants execution permissions to the generated shell scripts using chmod(0o755). Evidence: scripts/generate_report.py line 87.
  • [METADATA_POISONING]: There is a significant discrepancy between the skill's stated purpose (analyzing HTTP headers) and the actual implementation of its scripts, which focus on local directory analysis and script generation. Evidence: scripts/analyze_headers.py docstring vs implementation; scripts/generate_report.py docstring vs generate_script method.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted response data (HTTP headers) from arbitrary external domains without explicit sanitization or boundary markers. Ingestion points: Target domain response headers via WebFetch (SKILL.md). Boundary markers: None. Capability inventory: WebFetch, Read, and execution of bundled Python scripts. Sanitization: None specified.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 9, 2026, 02:11 AM