transformer
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a shell escape sequence (
!) to executecat ~/.claude/skills/prompt/SKILL.md. This method of file access bypasses standard security-monitored tools and executes commands directly on the host system. - [DATA_EXFILTRATION]: By using shell commands to read from a hidden application directory (
~/.claude/), the skill accesses local data outside of the immediate project scope. This pattern could be adapted to read more sensitive configuration or credential files in the user's home directory. - [PROMPT_INJECTION]: The skill acts as a transformer for other skill files provided via the
$ARGUMENTSparameter, creating an indirect prompt injection surface where the content of those files can influence agent behavior. - Ingestion points: External file path provided through the
$ARGUMENTSvariable. - Boundary markers: Absent; there are no clear delimiters or instructions to ignore embedded commands within the ingested content.
- Capability inventory: Ability to execute shell commands (
cat) and perform text transformation/reasoning tasks. - Sanitization: None; the skill ingests raw content from the specified file path and processes it directly.
Audit Metadata