trailofbits-claude-config

The fix-issue.md command instructs the AI to 'Read GitHub Issue #$ISSUE_NUMBER from the canonical repo thoroughly' and 'Follow linked issues, referenced PRs, and external documentation to build complete understanding before planning.' The issue content, which is user-controlled, is then used to drive the entire workflow including planning, implementation, and code changes. There are no explicit data boundary markers around the issue content, allowing malicious issue descriptions to potentially override the skill's directives.

Multiple commands use user-provided input ($ISSUE_NUMBER, $REPO) directly in shell commands without proper sanitization. The fix-issue.md command uses $ISSUE_NUMBER in gh commands, and merge-dependabot.md uses $REPO in git clone operations. While these appear to be intended as simple parameters, malicious input could potentially inject additional shell commands or parameters.

The plugin contains shell scripts that execute commands with force flags and bypass user confirmation. The hooks/enforce-package-manager.sh script uses 'set -euo pipefail' which can mask errors, and the hooks/log-gam.sh script automatically logs and executes GAM (Google Apps Manager) commands without user confirmation. The scripts also use exit codes to control execution flow, potentially bypassing normal safety checks.

The fix-issue.md and merge-dependabot.md commands instruct the agent to perform system-level operations including global package installation, modifying git configuration, and accessing repositories outside the current project. The commands use 'gh repo clone' to access arbitrary repositories, modify global git settings, and install packages system-wide without virtual environments.

The plugin declares an empty scope ({}) but the commands perform extensive operations including network requests (gh commands, git operations), file system modifications across multiple directories, shell command execution, and external tool invocations. The fix-issue.md command uses web search (mcp__exa__web_search_exa), GitHub CLI operations, git operations, and file system modifications without declaring these capabilities.

The hooks contain conditional logic that references environment variables (CLAUDE_PROJECT_DIR) and system state (file existence checks, git status) that users may not be aware of. The enforce-package-manager.sh hook blocks npm commands based on the presence of pnpm-lock.yaml, and the log-gam.sh hook logs commands based on environment variables and command patterns. These conditionals affect behavior in ways not documented in user-visible guarantees.

The enforce-package-manager.sh hook claims authority to block user commands with 'BLOCKED: This project uses pnpm, not npm. Use pnpm instead.' and exits with code 2 to prevent execution. This represents an override of user intent based on file system state, effectively claiming enforcement authority over the user's tool choices.

The fix-issue.md command contains multiple persistent behavioral directives that could affect the agent's behavior beyond the current task. The command uses language like 'Execute every step below sequentially. Do not stop or ask for confirmation at any step' and 'When stuck during implementation... use Exa to search for solutions rather than spinning' without explicit scope boundaries or termination conditions.

The merge-dependabot.md command exhibits significant scope creep by claiming authority over repository management, CI configuration, and dependency management across any GitHub repository. While stated as a dependabot PR evaluation tool, it includes directives to create corrective PRs, modify dependabot configuration files, and make system-level decisions about repository health that extend far beyond simple PR evaluation.

The plugin contains shell scripts that install packages without declaring them as dependencies. The hooks/log-gam.sh script uses 'jq' for JSON parsing, and scripts/statusline.sh also uses 'jq' extensively. Additionally, the log-gam.sh script references 'gam7/gam' (Google Apps Manager) which appears to be an external tool dependency. These package dependencies are not listed in the plugin's declared dependencies array.

The fix-issue.md command instructs the AI to clone GitHub repositories using mutable references without commit hash pinning or integrity verification. The command uses 'gh repo clone $REPO' and 'git fetch origin' operations that pull from potentially mutable branch heads. Additionally, the merge-dependabot.md command clones repositories with '--depth=50' but still references mutable branches, creating a chain of clone-then-execute operations without verification.