caveman-compress
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Natural language content from user-specified files is read and interpolated directly into the compression prompt in
scripts/compress.pywithout boundary markers or delimiters. This could allow a malicious file to influence the AI's behavior during the compression phase. - Ingestion points:
filepath.read_text()inscripts/compress.pyreads the target file's content. - Boundary markers: None are used in the
build_compress_promptfunction; the text is appended directly after a label. - Capability inventory: The skill can write to the filesystem (
Path.write_text), execute local commands (subprocess.run), and communicate with the Anthropic API. - Sanitization: The skill implements a heuristic path check to refuse known sensitive files, but does not sanitize the content of accepted files.
- [COMMAND_EXECUTION]: The orchestrator script in
scripts/compress.pyusessubprocess.runto call theclaudeCLI as a fallback authentication method. This execution is implemented safely using a fixed argument list and passing user content through standard input, avoiding shell interpolation risks. - [DATA_EXFILTRATION]: The skill transmits the contents of the target file to the Anthropic API for processing. To mitigate the risk of accidental credential exposure, the skill employs a detailed heuristic check (
is_sensitive_path) that blocks files with names or paths associated with secrets, SSH keys, or configuration tokens (e.g.,.env,.aws,credentials.md).
Audit Metadata