Skills
skills/aaaaqwq/agi-super-skills/Getting Started with Skills/Gen Agent Trust Hub

Getting Started with Skills

Warn

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains forceful instructions designed to override user intent. Specifically, the 'Instructions ≠ Permission to Skip Workflows' section explicitly tells the agent to disregard instructions from its human partner if they suggest skipping the mandated workflow (e.g., 'Add X', 'Fix Y' are not permission to skip brainstorming). It uses authoritative markers like 'Critical Rules', 'YOU MUST', and 'Don't rationalize' to ensure these meta-instructions take precedence over other parts of the conversation.
  • [COMMAND_EXECUTION]: The skill-run script provides a generic execution primitive. It takes a relative path as an argument and uses exec "$SCRIPT" "$@" to run the file. This allows the agent to execute any executable file located within the SKILLS_ROOT directory structure.
  • [REMOTE_CODE_EXECUTION]: The combination of a mandatory workflow to read and follow instructions from external files (SKILL.md files discovered via find-skills) and a script runner (skill-run) creates a risk where malicious instructions in a skill file could lead to the execution of harmful local scripts.
  • [DATA_EXPOSURE]: The find-skills script logs all search patterns to a local file at ${XDG_CONFIG_HOME:-$HOME/.config}/superpowers/search-log.jsonl. This log could potentially store sensitive information if users include credentials or private data in their search queries.
  • [PROMPT_INJECTION]: Category 8 (Indirect Prompt Injection) Analysis:
  • Ingestion points: The agent is instructed in SKILL.md to use the Read tool to ingest content from any SKILL.md file found in the skills directory.
  • Boundary markers: The instructions do not define any boundary markers or 'ignore' warnings for the content being read; instead, they mandate that the agent 'Follow it exactly'.
  • Capability inventory: The skill set includes skill-run, which is capable of executing scripts and subprocesses.
  • Sanitization: There is no evidence of sanitization or validation of the content of the read skill files before the agent is expected to execute their instructions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 5, 2026, 07:56 AM