Skills
skills/ruvnet/claude-flow/vector-cluster/Gen Agent Trust Hub

vector-cluster

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches the ruvector package from the npm registry. This package is a vendor-owned resource associated with the author's identity (ruvnet).
  • [COMMAND_EXECUTION]: The instructions utilize Bash commands to verify the local environment, install dependencies, and execute the clustering CLI via npx.
  • [PROMPT_INJECTION]: The skill is designed to process external files for community detection, which establishes an indirect prompt injection surface.
  • Ingestion points: Local files are passed as arguments to the graph-cluster and graph-mincut commands in SKILL.md.
  • Boundary markers: No explicit delimiters or instructions are provided to the agent to ignore embedded instructions within the analyzed files.
  • Capability inventory: The skill utilizes Bash for command execution and MCP tools for memory storage (mcp__claude-flow__memory_store).
  • Sanitization: No sanitization or validation of the input file content is performed within the skill instructions, relying on the ruvector tool's internal logic.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 01:23 PM
Security Audit — agent-trust-hub — vector-cluster