doctor
Pass
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive configuration files including '.mcp.json', '.claude/settings.json', and '.env' (implied) to validate setup and credential presence (e.g., TAVILY_API_KEY). These operations are restricted to local diagnostics as part of the skill's primary 'doctor' purpose and no data exfiltration was detected.
- [COMMAND_EXECUTION]: The skill utilizes several Bash scripts ('check-mcp-pinning.sh', 'check-plugin-health.sh') to validate system state. These scripts use local Python 3 processes for JSON parsing of configuration data.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from external 'SKILL.md' and agent manifest files during its validation process.
- Ingestion points: The skill reads files in 'src/skills/', 'src/agents/', and 'manifests/' via the 'Read', 'Grep', and 'Glob' tools.
- Boundary markers: No explicit boundary markers or 'ignore embedded instructions' warnings are present when processing these files.
- Capability inventory: The agent has access to 'Bash', 'Write', 'Edit', 'MultiEdit', and 'AskUserQuestion' tools, which could be exploited if a malicious instruction is processed.
- Sanitization: No sanitization or validation of the natural language content within the ingested markdown files is performed before they are processed by the agent.
- [EXTERNAL_DOWNLOADS]: The skill recommends installing 'portless' via npm and references 'agent-browser' from Vercel Labs. These are well-known technology services and are documented neutrally.
Audit Metadata