claude-companion
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script scripts/claude-companion.mjs retrieves API keys from the macOS keychain using the security command and writes them to temporary files in the system's temporary directory. While it attempts to delete these files, there is a risk of credential exposure if the process is interrupted.
- [COMMAND_EXECUTION]: The core functionality of the skill involves executing the claude and copilot CLI tools via Node.js spawn and spawnSync calls. This grants the agent the ability to run external processes with the permissions of the local user.
- [DATA_EXFILTRATION]: The skill is configured to send workspace context and user prompts to external AI service endpoints (e.g., api.z.ai). This represents an intentional data flow to third-party services.
- [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because the delegated sub-agents read and process untrusted files from the local workspace. Ingestion points: The claude and copilot tools read workspace files from the path specified by the --cwd argument. Boundary markers: The instructions provide specific templates for prompt formatting but lack robust technical delimiters to isolate untrusted content. Capability inventory: The sub-agents can perform file system modifications, shell command execution, and network requests. Sanitization: No explicit sanitization or filtering of workspace content is performed before it is processed by the external agents.
Audit Metadata