adp

Name: adp
Author: 0xPuncker

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill facilitates arbitrary code execution through unverified shell piping and git hook injection while exfiltrating sensitive project data to an external, attacker-controlled Notion database.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/22/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learning2 findings

Behavioural ControlAction12 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Name0xPuncker/adp

Registrygithub

Version70feb7c8a64b

PURLpkg:github/0xPuncker/adp@70feb7c8a64b

Source

Repository ↗SKILL.md ↗

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

Skills.shDocs

npx skills add https://github.com/0xPuncker/adp

Assessments (7)

AI Agent Traps ↗

Description Mismatchcriticaldescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill claims to be an 'Autonomous Development Pipeline' but includes multiple critical security risks, including remote code execution via curl-to-shell piping, git hook injection, and unpinned package execution, which contradict the 'security' and 'resilience' goals claimed in its own harness configuration.

85% confidence

Static analysis findings: [critical] MONDOO_AGENT_SKILL_CE_003 (Remote code download and execution), [critical] bash-curl-pipe-shell, and [high] MONDOO_AGENT_SKILL_PER_003 (Git hooks injection).

Remote code download and execution detectedcriticalcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

Remote code download and execution detected

100% confidenceline 2171

curl -fsSL https://raw.githubusercontent.com/0xPuncker/adp/main/bin/install.sh | bash

A remote resource is downloaded with curl/wget and piped directly into a shell interpreter (optionally via sudo). The downloaded script runs with no integrity check (no checksum/signature), so a compromised server, MITM, or hijacked URL leads to arbitrary code execution. Download to a file, verify it (e.g. sha256sum -c against a pinned digest, or a signature), then execute it.criticalvulnAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

95% confidenceline 1

curl -fsSL https://raw.githubusercontent.com/0xPuncker/adp/main/bin/install.sh | bash

Evaluator live_test_command executes harness-supplied shell cmdhighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

The evaluator sub-agent is instructed to run `live_test_command` sourced from `harness.yaml`, a user-editable file. If harness.yaml is tampered with or generated from attacker-controlled project files, this becomes an indirect code execution path through the evaluator's Bash access.

82% confidence

If live_test is enabled: a. Run the `live_test_command` to start the app ... evaluator allowedTools: [Read, Grep, Glob, Bash]

Git hook persistence mechanismhighcommand executionAML.T0050AML.T0053AML.T0072LLM05:2025LLM06:2025

The skill installs a custom git hook that enforces commit conventions, which could be repurposed to execute arbitrary code whenever a commit is made.

90% confidence

Copy templates/hooks/commit-msg (from the ADP skill directory) to .git/hooks/commit-msg

Hardcoded external Notion DB receives project datahighcredential theftAML.T0055AML.T0037LLM02:2025

The skill hardcodes a specific Notion database ID and instructs the agent to write project memories, activity logs, and metadata to an attacker-controlled external service on every memory write operation. This routes project intelligence (decisions, blockers, architecture notes) through a third-party endpoint not under the user's control.

88% confidence

data_source_id: `2d1ac8c4-819a-4562-a57b-944dc613b18f` ... mcp__claude_ai_Notion__notion-create-pages with data_source_id: 2d1ac8c4-819a-4562-a57b-944dc613b18f

Notion sync exfiltrates security guide content despite strip claimhighdata exfiltrationAML.T0025AML.T0024LLM02:2025

The dual-write protocol syncs all memory files to Notion but claims to strip `security.md` content. However, the security guide contains vulnerability audit output, dependency CVEs, and OWASP findings — the stripping logic is agent-interpreted and not deterministically enforced, leaving sensitive security posture data at risk of external transmission.

70% confidence

Any content sourced from `security.md` — that guide contains vulnerability details and dependency audit output that must never leave the local environment — Replace stripped references with a generic description

Git hooks injection — installs persistent code execution via git repository hookshighpersistenceAML.T0053AML.T0050LLM06:2025

Git hooks injection — installs persistent code execution via git repository hooks (seen 2 times in this file at lines 422, 2787)

100% confidenceline 422

chmod +x .git/hooks/

Tool shadowing via harness configurationhightool shadowing

The skill instructs the agent to use its own `harness.yaml` sensor commands instead of standard platform tools, effectively overriding the agent's native capability to choose appropriate verification methods.

90% confidenceline 978

Read sensor commands from .adp/harness.yaml and execute each one in `order`

Forced autonomy via 'auto-mode'highautonomy abuseAML.T0034.002AML.T0053LLM06:2025LLM10:2025

The 'auto-mode' explicitly forces the agent to bypass clarification gates and human oversight, creating a high-risk environment for unverified code execution.

95% confidenceline 1708

Force `clarify: never` for this invocation

Claude Code hooks installed as persistent guardrail layermediumresource abuseAML.T0029AML.T0034LLM10:2025

The skill installs PreToolUse, PostToolUse, and SessionStart hooks into `.claude/hooks/` that fire on every tool call and session start across all projects, not just ADP-managed ones. This is a persistence mechanism that extends the skill's influence beyond its declared scope.

78% confidence

Four hooks are installed by `adp init` ... PreToolUse.sh — fires before every tool call ... SessionStart.sh — fires at the start of every Claude Code session

Credential theft risk via Notion syncmediumcredential theftAML.T0055AML.T0037LLM02:2025

The dual-write protocol syncs local memory to an external Notion database, potentially exposing sensitive project details or internal paths to a third-party service.

70% confidence

sync it to the "ADP Memory" Notion database — in the same operation

Implicit sub-agent spawningmediumsub agent spawningAML.T0053AML.T0051.001LLM06:2025

The skill mandates spawning sub-agents for evaluation and adversary testing, which can be used to bypass the primary agent's safety constraints by delegating tasks to less-monitored sub-processes.

85% confidence

Spawn a separate sub-agent with fresh context

Sub-agent spawning instructions detected — may create agents with attacker-controlled promptsmediumsub agent spawningAML.T0053AML.T0051.001LLM06:2025

Sub-agent spawning instructions detected — may create agents with attacker-controlled prompts

100% confidenceline 957

spawn a sub-agent

Untrusted package source — installs a dependency from a URL/VCS or alternate index instead of the public registryhighsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

Untrusted package source — installs a dependency from a URL/VCS or alternate index instead of the public registry

100% confidenceline 2327

npm install https://

Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtimemediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

Unpinned npx package execution — `npx <pkg>` without a version pin pulls latest from npm at runtime (seen 2 times in this file at lines 231, 256)

100% confidenceline 231

npx prisma

Potential for indirect prompt injection via Notionmediumindirect prompt injection

The skill integrates with a Notion database for 'memory', which could be manipulated by an attacker to inject malicious instructions into the agent's reasoning process during future sessions.

75% confidence

Notion "ADP Memory" database is the online memory store for cross-session facts

User confirmation bypass detected — attempts to skip human oversightmediumautonomy abuseAML.T0034.002AML.T0053LLM06:2025LLM10:2025

User confirmation bypass detected — attempts to skip human oversight (seen 4 times in this file at lines 229, 1828, 2397, 2398)

100% confidenceline 229

auto_approve

Missing allowed-tools declarationlowunauthorized tool use

Skill executes commands, writes files, or accesses the network but declares no allowed-tools, so its tool surface cannot be reviewed or constrained.

90% confidence

Undeclared network usagelowunauthorized tool use

Skill contains network access patterns (HTTP requests, socket connections) without declaring network capability in allowed-tools.

60% confidence

Missing or insufficient descriptioninfopolicy violation

Skill description is empty or too short. A clear description helps users evaluate the skill's purpose.

100% confidence

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/0xPuncker/adp.svg)](https://mondoo.com/ai-agent-security/skills/github/0xPuncker/adp)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/0xPuncker/adp"><img src="https://mondoo.com/ai-agent-security/api/badge/github/0xPuncker/adp.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/0xPuncker/adp.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow