skill-security-auditor
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains numerous prompt injection and malicious instruction patterns within its detection engine (
scripts/skill_security_auditor.py) and educational documentation (references/threat-model.md). These are used as regex definitions for auditing other skills and as learning examples. Natural instructions inSKILL.mdare safe and align with the tool's purpose. - [EXTERNAL_DOWNLOADS]: The skill uses
git cloneto fetch external repositories for analysis when a user provides a URL. This functionality is essential for the tool's primary purpose as a security scanner for remote skills. - [COMMAND_EXECUTION]: The script executes git commands using
subprocess.runwith list-based arguments. This is a safe implementation that avoids shell injection. The commands are used to clone and manage temporary directories for auditing. - [PROMPT_INJECTION]: (Category 8: Indirect Prompt Injection surface) The tool processes untrusted external markdown and code files to identify security risks.
- Ingestion points: Files are read via
Path.read_text()inscripts/skill_security_auditor.pyfor regex matching. - Boundary markers: The scanner does not use explicit boundary markers or delimiters when reading external file content.
- Capability inventory: The skill can execute
git cloneviasubprocess.runand perform file system cleanup withshutil.rmtree. - Sanitization: Content is processed for pattern matching without sanitization; however, the script does not execute the audited code, minimizing risk.
Audit Metadata