Hello maintainers,
We are conducting a research study on repository-local agent instruction surfaces and analyzed this repository with agent-audit.
This is a static artifact review, not a claim of confirmed exploitability. We are sharing it because the repository produced a concentrated set of high-signal findings in action-bearing and integration-bearing skill artifacts.
High-level scan summary:
150 raw findings147 clustered issue instances2 multi-signal issue instances
Review these files first:
-
Releases/v3.0/.claude/skills/Cloudflare/SKILL.md
- canonical class:
broad_external_action_without_approval
- rule:
asamm.AD-02.broad-action-without-approval
- why it stood out: remote-action capabilities plus write-action language without nearby approval/scoping
-
Releases/v4.0.0/.claude/skills/Scraping/BrightData/SKILL.md
- canonical class:
broad_external_action_without_approval
- rule:
asamm.AD-02.broad-action-without-approval
- why it stood out: multiple remote/external action cues in a scraping workflow
-
Packs/Security/src/Recon/SKILL.md
- canonical class:
tool_or_skill_poisoning_surface
- rule:
atr.tool-poisoning.mcp-tool-description-important-tag-cross-tool-shadowing-atta
- why it stood out: control-plane / tool-description poisoning-style signal
-
Packs/Utilities/src/PAIUpgrade/SKILL.md
- canonical class:
unsafe_command_or_execution_surface
- rule:
atr.privilege-escalation.shell-metacharacter-injection-in-tool-arguments
- why it stood out: shell / command execution pattern
-
Releases/v3.0/.claude/skills/PAI/SKILL.md
- canonical class:
credential_or_pii_exposure_surface
- rule:
cisco-pg.pii_exposure.pg-pii-ssn-harvesting
- why it stood out: sensitive-data collection / handling language
Questions that would help interpret these findings:
- Are these release-versioned skills intended for direct operational use, or partially as snapshots/reference material?
- Is approval/scoping described elsewhere in the repo and intentionally centralized?
- Are some of the flagged patterns present because the repository documents advanced infrastructure capabilities rather than default autonomous behavior?
Method and dataset reference:
https://github.com/scadastrangelove/agent-audit/tree/main/artifacts/article-support-dataset-v1
If there is a preferred security/contact channel instead of issues for this sort of research notification, we are happy to use it.
Hello maintainers,
We are conducting a research study on repository-local agent instruction surfaces and analyzed this repository with
agent-audit.This is a static artifact review, not a claim of confirmed exploitability. We are sharing it because the repository produced a concentrated set of high-signal findings in action-bearing and integration-bearing skill artifacts.
High-level scan summary:
150raw findings147clustered issue instances2multi-signal issue instancesReview these files first:
Releases/v3.0/.claude/skills/Cloudflare/SKILL.mdbroad_external_action_without_approvalasamm.AD-02.broad-action-without-approvalReleases/v4.0.0/.claude/skills/Scraping/BrightData/SKILL.mdbroad_external_action_without_approvalasamm.AD-02.broad-action-without-approvalPacks/Security/src/Recon/SKILL.mdtool_or_skill_poisoning_surfaceatr.tool-poisoning.mcp-tool-description-important-tag-cross-tool-shadowing-attaPacks/Utilities/src/PAIUpgrade/SKILL.mdunsafe_command_or_execution_surfaceatr.privilege-escalation.shell-metacharacter-injection-in-tool-argumentsReleases/v3.0/.claude/skills/PAI/SKILL.mdcredential_or_pii_exposure_surfacecisco-pg.pii_exposure.pg-pii-ssn-harvestingQuestions that would help interpret these findings:
Method and dataset reference:
https://github.com/scadastrangelove/agent-audit/tree/main/artifacts/article-support-dataset-v1
If there is a preferred security/contact channel instead of issues for this sort of research notification, we are happy to use it.