audit-plugins
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from external plugins.
- Ingestion points: The skill reads
plugin.jsonmanifest files and scans directory structures from both local repositories and global plugin locations (SKILL.md). - Boundary markers: No explicit delimiters or instructions are defined to protect the agent from malicious instructions embedded within the plugin manifests or documentation being audited.
- Capability inventory: The skill utilizes powerful tools including
Bash,Task, andGrep, and spawns subagents (plugin-component-auditor,audit-finding-validator) to process the ingested data (SKILL.md). - Sanitization: There is no evidence of content sanitization or validation of the strings extracted from plugin files before they are passed to subagents.
- [COMMAND_EXECUTION]: The skill uses
BashandTasktools to perform environment setup, plugin discovery, and audit log management. It executes commands to manage the.claude/temp/directory and perform cleanup operations. There is a potential risk of command injection if theplugin-nameargument provided by the user is not properly sanitized before being used in shell contexts. - [DATA_EXFILTRATION]: The skill accesses sensitive user directories, specifically
~/.claude/plugins/on Unix and%USERPROFILE%\.claude\plugins\on Windows. While this access is required for auditing globally installed plugins, it creates a surface for data exposure if an attacker can manipulate the plugin discovery logic to read arbitrary files.
Audit Metadata