content-writer
Fail
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/install-dependencies.shclones an external repository (https://github.com/AgriciDaniel/claude-seo.git) and immediately executes a shell script namedinstall.shfound within that repository. This pattern of downloading and executing code from unverified third-party sources is a high-risk vector for arbitrary code execution on the user's machine. - [COMMAND_EXECUTION]: The
package.jsonfile triggers apostinstallhook that runsscripts/postinstall.js. This JavaScript file performs extensive file system operations usingfs.rmSync,fs.mkdirSync, andfs.copyFileSyncwithin the user's home directory (~/.claude/skills). Additionally, it usesexecSyncto invoke shell commands and external bash scripts, increasing the execution risk during the installation phase. - [EXTERNAL_DOWNLOADS]: During installation, the skill attempts to clone multiple third-party repositories (
AgriciDaniel/claude-seoandblader/humanizer) from GitHub. These sources are not identified as trusted vendors or well-known services in the authoritative list, and the skill performs these downloads and subsequent executions automatically. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from arbitrary URLs.
- Ingestion points: The
/writer:profile-createcommand (URL scanning for tone detection) and the/writer:plancommand (fetching URLs for topic research) both ingest content from external websites into the agent's context. - Boundary markers: The instructions do not define strict delimiters or warnings to ignore instructions embedded within the fetched web content.
- Capability inventory: The skill possesses significant capabilities, including file system writes to
~/.claude/skills, the ability to execute subprocesses throughexecSync(inpostinstall.js), and network access viagitandnpm(ininstall-dependencies.sh). - Sanitization: There is no evidence of content sanitization or validation performed on the data retrieved from external URLs before it is processed by the agent to calibrate its 'voice' or 'angle'.
Recommendations
- AI detected serious security threats
Audit Metadata