ultracook
Warn
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local script using the command
python3 ${CLAUDE_SKILL_DIR}/scripts/cook.pyz artifact-path specs <slug>, where<slug>is a variable derived from user-provided input or file paths. This pattern presents a potential command injection vulnerability if the input is not strictly validated before being interpolated into the shell command. - [PROMPT_INJECTION]: The orchestrator reads and acts upon data in
.cheese/markdown files to drive the pipeline's logic, specifically thestatus:andnext:fields. - Ingestion points: The skill reads
.cheese/<phase>/<slug>.mdfiles generated by automated sub-agents during the pipeline execution. - Boundary markers: No explicit delimiters or boundary markers are mentioned for the content being parsed.
- Capability inventory: The skill can execute shell commands, interact with GitHub repositories via the
/ghtool, and spawn sub-agents with full tool and filesystem access. - Sanitization: There is no evidence of sanitization or validation of the data read from the handoff slug files before it is used to determine the next orchestrator action.
- [COMMAND_EXECUTION]: The skill automates git operations by invoking the
/ghtool to commit and push changes to remote repositories. While this is a documented feature for the pipeline's terminal phase, it involves autonomous network operations and modifications to the codebase.
Audit Metadata