triage
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to interact with system services via
launchctland performs file system deletions of.plistconfiguration files. - [DATA_EXFILTRATION]: The skill accesses sensitive user data by reading chat transcripts from the
~/.claude/projectsdirectory. While used for diagnostics, this creates a risk of exposing private user interactions. - [REMOTE_CODE_EXECUTION]: The skill dynamically sources external shell scripts (
triage-lib.sh) from a path influenced by environment variables, leading to the execution of code not contained within the main skill file. - [DYNAMIC_EXECUTION]: The instructions encourage "Self-Evolving" behavior, directing the agent to modify the
SKILL.mdfile immediately upon detecting issues. This self-modification of logic is a high-risk pattern that can be used to bypass safety controls or persist malicious instructions. - [INDIRECT_PROMPT_INJECTION]: The skill is vulnerable to instructions embedded in the external data it processes.
- Ingestion points: Processes
registry.json,heartbeat.json, and user transcripts from~/.claude/projects. - Boundary markers: None identified; external content is processed without explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: Possesses the ability to execute bash commands, modify system-level persistence (
launchctl), and rewrite its own instruction file. - Sanitization: No sanitization or validation of the ingested external data is performed before it influences agent actions.
Audit Metadata