content-writer

Fail

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/install-dependencies.sh clones an external repository (https://github.com/AgriciDaniel/claude-seo.git) and immediately executes a shell script named install.sh found within that repository. This pattern of downloading and executing code from unverified third-party sources is a high-risk vector for arbitrary code execution on the user's machine.
  • [COMMAND_EXECUTION]: The package.json file triggers a postinstall hook that runs scripts/postinstall.js. This JavaScript file performs extensive file system operations using fs.rmSync, fs.mkdirSync, and fs.copyFileSync within the user's home directory (~/.claude/skills). Additionally, it uses execSync to invoke shell commands and external bash scripts, increasing the execution risk during the installation phase.
  • [EXTERNAL_DOWNLOADS]: During installation, the skill attempts to clone multiple third-party repositories (AgriciDaniel/claude-seo and blader/humanizer) from GitHub. These sources are not identified as trusted vendors or well-known services in the authoritative list, and the skill performs these downloads and subsequent executions automatically.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from arbitrary URLs.
  • Ingestion points: The /writer:profile-create command (URL scanning for tone detection) and the /writer:plan command (fetching URLs for topic research) both ingest content from external websites into the agent's context.
  • Boundary markers: The instructions do not define strict delimiters or warnings to ignore instructions embedded within the fetched web content.
  • Capability inventory: The skill possesses significant capabilities, including file system writes to ~/.claude/skills, the ability to execute subprocesses through execSync (in postinstall.js), and network access via git and npm (in install-dependencies.sh).
  • Sanitization: There is no evidence of content sanitization or validation performed on the data retrieved from external URLs before it is processed by the agent to calibrate its 'voice' or 'angle'.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jul 7, 2026, 04:06 AM
Security Audit — agent-trust-hub — content-writer