Skills
skills/notque/claude-code-toolkit/repo-value-analysis/Gen Agent Trust Hub

repo-value-analysis

Pass

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it mandates reading "EVERY file" in an external, untrusted repository during the deep-read phase.
  • Ingestion points: Untrusted data enters via git clone of user-provided URLs, which is then processed by the Read tool in Phase 2.
  • Boundary markers: No delimiters or "ignore embedded instructions" warnings are provided to sub-agents when processing external file content.
  • Capability inventory: The agent has access to Bash, Write, Read, and Agent tools, which can be misused if an injection occurs.
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the content read from external repositories.
  • [DATA_EXFILTRATION]: In Phase 3, the skill performs a detailed inventory of the local claude-code-toolkit repository and stores it in /tmp/self-inventory.md. This sensitive metadata, combined with the lack of boundaries when reading external files, creates a risk where a malicious repository could trick the agent into exfiltrating the local inventory.
  • [EXTERNAL_DOWNLOADS]: The skill uses git clone to download repositories from arbitrary URLs provided by the user. While this is the primary purpose of the skill, it introduces untrusted code and prompts into the agent's working environment.
  • [COMMAND_EXECUTION]: The skill utilizes the Bash tool for cloning and repository management. If a sub-agent is compromised via indirect prompt injection, this tool could be exploited to run arbitrary commands on the host system.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 1, 2026, 05:55 AM