cortex-run
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on shell command execution to verify the presence of the
cortexCLI (which cortex) and to run a local Python integration script (execute_cortex.py) located in the plugin's root directory. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by instructing the agent to interpolate untrusted user prompts and session context directly into a shell command's arguments in
SKILL.md. - Ingestion points: Untrusted data enters the context via the user's prompt following the
$cortex-runcommand and the inclusion of the 'Claude Code Session' history. - Boundary markers: While the skill uses Markdown headers to organize the prompt, it lacks strong delimiters or 'ignore' instructions to prevent the agent from obeying instructions embedded within the user data or session context.
- Capability inventory: The skill's primary function involves executing subprocesses and shell commands, which increases the impact if the interpolated data contains malicious payloads.
- Sanitization: There are no instructions for sanitizing, escaping, or validating the input before it is used in the
pythoncommand execution template, which may lead to command injection if the agent does not handle shell metacharacters properly.
Audit Metadata