Productivity & Tasks

doc-coauthoring

Gold
Official Claude
https://github.com/anthropics/skills/tree/main/skills/doc-coauthoring
7,056 tokensgemini-3-pro-preview

Safety Score

75/ 100

Detected Capabilities

shell

Sensitive Files

    Clean filesystem scan

Deep Audit Findings

This skill defines a 'Doc Co-Authoring' workflow that orchestrates a multi-stage process involving sensitive context gathering, file system manipulation (create/edit), and recursive agent invocation ('sub-agents'). While designed for productivity, it explicitly solicits highly sensitive organizational data (politics, incidents) and instructs the agent to spawn sub-processes/sub-agents, creating risks around data privacy and uncontrolled execution loops if the underlying runtime (e.g., Claude Code) grants full permission to sub-agents.

Unconstrained Sub-Agent Invocation

The workflow explicitly instructs the runtime to 'invoke a sub-agent' during the Reader Testing stage. Without strict sandboxing, sub-agents can inherit parent permissions, potentially bypassing restrictions, consuming excessive resources, or executing code in a new context without user oversight.

MEDIUM
SKILL.md
For each question, invoke a sub-agent with just the document content and the question.

Solicitation of Sensitive Organizational Data

The prompt explicitly asks the user to dump 'politics', 'team dynamics', and 'past incidents'. This encourages the user to introduce highly sensitive Non-Public Information (NPI) into the LLM context, which may be logged or leaked if the 'Reader Testing' phase sends this data to external endpoints.

MEDIUM
SKILL.md
Request information such as: ... Organizational context (team dynamics, past incidents, politics)

Direct File System Modification

The skill uses `create_file` and `str_replace` to modify documents. While intended for drafting, automated file editing based on broad context can lead to accidental data loss or overwriting of wrong files if the agent hallucinates filenames.

LOW
SKILL.md
Use create_file to create an artifact. This gives both Claude and the user a scaffold to work from.

Attack Surface Chain

1

Attacker (or user) provides malicious instructions mixed with legitimate context during the 'Info Dumping' stage (Stage 1).

2

The agent incorporates the malicious instructions into the 'draft' document during Stage 2.

3

During Stage 3 ('Reader Testing'), the agent 'invokes a sub-agent' passing the drafted document.

4

The sub-agent executes the malicious instructions contained in the draft (Prompt Injection), potentially utilizing the 'shell' capability identified in static findings to exfiltrate data or modify the system.