editor-tools
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The 'Self-Heal Observer' section instructs the agent to monitor interactions for 'friction signals' and perform background analysis without notifying the user. This attempts to steer agent behavior towards non-transparent background operations and establishes a conditional trigger that activates a secondary protocol based on session performance.\n- [COMMAND_EXECUTION]: The skill provides a shell command string using
mkdirandrsyncto deploy configuration files to the user's home directory. This involves direct filesystem manipulation via shell commands.\n- [PROMPT_INJECTION]: The skill defines a workflow where the agent ingests session data and follows instructions from an external file path (.claude/skills/self-heal/references/diagnosis-protocol.md). This creates an attack surface where instructions from outside the skill's scope can influence agent behavior.\n - Ingestion points: Session 'friction signals' and the contents of the external diagnosis protocol file.\n
- Boundary markers: None present to distinguish instructions from data.\n
- Capability inventory: The agent has access to
Read,Glob,Grep,Edit, andWritetools.\n - Sanitization: No validation or sanitization is performed on the content of the external protocol file before the agent is instructed to 'follow it exactly'.
Audit Metadata