Create Application Skill

The skill creates directories using a user-controlled application name (`[App_Name]`), which could be exploited for path traversal attacks to create directories in arbitrary locations.

mkdir -p ../executions/[App_Name]

The skill explicitly instructs the agent to spawn sub-agents via the Task tool when multiple applications are requested. The sub-agent prompt instructs the spawned agent to read a skill file from a local path and execute its full workflow, meaning whoever controls the skill file at that path controls the sub-agent's behavior. This is a classic attacker-controlled prompt injection vector via sub-agent spawning.

Task(
    subagent_type="general-purpose",
    description="Create LeanIX application for {App}",
    prompt="Read the SKILL.md at /Users/I756819/.claude/plugins/cache/leanix-catalog-research-marketplace/create-application/1.0.0/skills/create-application/skill/SKILL.md and execute the full 4-step workflow to create a LeanIX Application fact sheet for: {App}"
  )

A hardcoded absolute filesystem path containing a specific username ('I756819') is embedded in the skill. This leaks the identity of the developer/user and ties the skill to a specific machine, which could be exploited to enumerate the filesystem or target the specific user account.

/Users/I756819/.claude/plugins/cache/leanix-catalog-research-marketplace/create-application/1.0.0/skills/create-application/skill/SKILL.md

The skill instructs the agent to execute 'echo $LEANIX_API_TOKEN' to check for the presence of the API token. This causes the agent to read and expose a sensitive credential from the environment. The token value starting with 'LXT_' is also referenced, providing a pattern for credential identification. The Python script then directly reads and uses this token for authenticated API calls.

check with `echo $LEANIX_API_TOKEN`
...
API_TOKEN = os.environ['LEANIX_API_TOKEN']
...
If still missing, ask user for token (starts with 'LXT_').

The skill instructs the agent to execute an inline Python script via a bash heredoc (python3 << 'PYEOF'). The script performs network authentication, GraphQL mutations, and filesystem operations. The placeholder values (e.g., {appName}, {description}) are interpolated directly into the script without sanitization, creating a code injection risk if the research phase returns malicious data containing shell/Python metacharacters.

```bash
python3 << 'PYEOF'
import urllib.request, urllib.parse, json, ssl, base64, os

API_TOKEN = os.environ['LEANIX_API_TOKEN']
SUBDOMAIN = os.environ['LEANIX_SUBDOMAIN']
...
APP_NAME = "{appName}"
...
PYEOF
```

The skill instructs the agent to create directories and write files to the local filesystem as part of its normal workflow. This creates persistent artifacts that could be used for data exfiltration staging or to persist information across agent sessions.

```bash
mkdir -p ../executions/[App_Name]
```

Save outputs:
- `final_fields.json` - Verified data ready for LeanIX
- `COMPLETION_REPORT.md` - Full research summary
- `parallel_research.json` - Raw research data (optional)

The error handling section instructs the agent to execute 'source ~/.zshrc' to retrieve credentials. Sourcing shell profile files executes all commands contained within them, which is a dangerous pattern that could execute arbitrary commands if the profile has been tampered with.

Action: Source ~/.zshrc first:
  source ~/.zshrc
  python3 << 'PYEOF' ...

The skill explicitly states 'YOU ARE THE EXECUTOR' and 'DO NOT delegate the entire workflow to a 'application-creator' subagent' for single applications. However, it then mandates spawning subagents using the `Task` tool for multiple applications, directly contradicting its own core instruction against delegation.

The skill states: '❌ DO NOT delegate the entire workflow to a 'application-creator' subagent' and 'Single app: Execute the 4-step workflow yourself (YOU ARE THE EXECUTOR).' but also 'Multiple apps: Spawn parallel subagents, one per app, all in one message.' and 'Immediately spawn one subagent per application using the Task tool'.

The skill fetches content from arbitrary web pages (homepage, /security, /pricing, /about, /changelog) and instructs the agent to extract data from them. A malicious website operator could embed prompt injection instructions in their page content that would be processed by the agent as instructions, potentially hijacking the workflow steps or exfiltrating data.

WebFetch(url="https://[app-domain]", prompt="Extract: name, description, type indicators, hosting info, SSO mentions")
WebFetch(url="https://[app-domain]/security", prompt="Extract: SSO support, authentication methods, security features")
WebFetch(url="https://[app-domain]/pricing", prompt="Extract: pricing model, tiers, features by plan")
WebFetch(url="https://[app-domain]/about", prompt="Extract: company background, former names, aliases")
WebFetch(url="https://[app-domain]/changelog", prompt="Extract: SSO announcements, major features, hosting updates")