100Critical
This skill enables severe command injection and arbitrary file system access
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Command Development for Claude Code: Slash commands are frequently-used prompts defined as Markdown files that Claude executes during interactive sessions. Understanding command structure, frontmatter options, and dynamic features enables creating powerful, reusable workflows.
Actually does
This skill provides comprehensive documentation and best practices for developing 'slash commands' for Claude Code. It details how to structure commands using Markdown and YAML frontmatter, incorporate dynamic arguments, reference files, and execute bash commands. It also covers command organization, troubleshooting, and integration with plugin-specific features like agents, skills, and hooks.
Skill Info
Nameanthropics/claude-code/command-development
Registrygithub
Versionf348a16da828
PURLpkg:github/anthropics/claude-code@f348a16da828?skill=command-development
Stars114,388
Installs455,628
Source
SHA-256cf4372aa8f5e...
SHA-1daa4512e8a19...
MD5b50e85755001...
TLSH3f82eb37a55d...
ssdeep384:SB7vB84I...
Size18,941 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
https://github.com/anthropics/claude-code/tree/main/skills/command-development455,628 installs
Claude CodeDocs
/plugin marketplace add anthropics/claude-code/plugin install command-development@anthropics/claude-code
Skills.shDocs
npx skills add https://github.com/anthropics/claude-code --skill command-developmentAssessments (3)
AI Agent Traps ↗Command Execution via Bash with User Inputcriticalcommand execution
The skill demonstrates executing bash commands inline using backticks (`!`) and directly injecting user-provided arguments (`$1`, `$ARGUMENTS`) into these commands without explicit sanitization guidance. This creates a severe command injection vulnerability.
100% confidenceline 400
Run analysis: !`node ${CLAUDE_PLUGIN_ROOT}/scripts/analyze.js $1`
Run tests: !`npm test $1`
Validate environment: !`echo "$1" | grep -E ...`Broad Tool Access for Bash and File Operationshighresource abuse
The `allowed-tools` frontmatter field permits granting extensive capabilities like `Bash(*)` for arbitrary command execution and `Read`, `Write`, `Edit` for broad file system access. This significantly increases the attack surface for malicious commands.
100% confidenceline 105
allowed-tools: Read, Write, Edit, Bash(git:*) allowed-tools: Bash(*)
Arbitrary File Content Inclusionhighdata exfiltration
The `@` syntax allows commands to include the content of arbitrary files from the file system, including those specified by user arguments. This can be abused to exfiltrate sensitive data or gather system information.
100% confidenceline 250
Review @$1 for:
Compare @src/old-version.js with @src/new-version.js
@${CLAUDE_PLUGIN_ROOT}/config/settings.jsonExecution of Plugin-Bundled Scripts via CLAUDE_PLUGIN_ROOThighcommand execution
The `CLAUDE_PLUGIN_ROOT` variable, combined with bash execution, enables commands to directly execute scripts located within the plugin's directory. This introduces a supply chain risk if a plugin is compromised or designed with malicious scripts.
100% confidenceline 390
Run analysis: !`node ${CLAUDE_PLUGIN_ROOT}/scripts/analyze.js $1`
!bash ${CLAUDE_PLUGIN_ROOT}/scripts/script.shSub-Agent Spawning and Skill Invocationmediumsub agent spawning
Commands can initiate other agents or invoke specialized skills. While a legitimate feature, this capability could be abused to trigger cascading failures or unintended actions in a multi-agent system if the invoked components are malicious or poorly configured.
90% confidenceline 500
Launch code-reviewer agent for detailed analysis. Use the api-docs-standards skill to ensure:
Lack of Explicit Sanitization Guidance for User Inputmediumoversight evasion
The skill demonstrates argument validation but lacks explicit guidance or best practices for sanitizing user-provided arguments before they are used in bash commands or file paths, increasing the risk of injection attacks.
80% confidenceline 200
The sections on 'Dynamic Arguments' and 'Bash Commands' show direct injection without sanitization functions.
Version History (2)
Dependencies (13)
agent-sdk-dev.claude-plugin/marketplace.jsonnot scanned
claude-opus-4-5-migration.claude-plugin/marketplace.jsonnot scanned
code-review.claude-plugin/marketplace.jsonnot scanned
commit-commands.claude-plugin/marketplace.jsonnot scanned
explanatory-output-style.claude-plugin/marketplace.jsonnot scanned
feature-dev.claude-plugin/marketplace.jsonnot scanned
frontend-design.claude-plugin/marketplace.jsonnot scanned
hookify.claude-plugin/marketplace.jsonnot scanned
learning-output-style.claude-plugin/marketplace.jsonnot scanned
plugin-dev.claude-plugin/marketplace.jsonnot scanned
pr-review-toolkit.claude-plugin/marketplace.jsonnot scanned
ralph-wiggum.claude-plugin/marketplace.jsonnot scanned
security-guidance.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/anthropics/claude-code/command-development)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/anthropics/claude-code/command-development"><img src="https://mondoo.com/ai-agent-security/api/badge/github/anthropics/claude-code/command-development.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/anthropics/claude-code/command-development.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow