skillforge
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core architecture (Phase 0 Triage) is designed to process arbitrary untrusted data to determine agent actions.
- Ingestion points:
README.mdandSKILL.mdspecify that the skill analyzes 'any input' including prompts, errors, code, and URLs. - Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the processed data.
- Capability inventory:
scripts/package_skill.pyperforms recursive file reads and writes to disk; the skill's primary purpose is generating and modifying executable code (SKILL.mdand Python scripts) which are then loaded into the agent's environment. - Sanitization: Absent. No validation or filtering logic is present for external content before it influences the code generation or routing process.
- COMMAND_EXECUTION (MEDIUM): The skill includes utility scripts and templates that perform file system operations.
scripts/package_skill.pyusesPath.rglob('*')andzipfile.ZipFileto read and package directory contents.assets/templates/script-template.pyprovides boilerplate for scripts that perform atomic file writes (Path.write_text,Path.rename) and state management.- While these are functional requirements, they provide a high-privilege surface that can be exploited if the agent is misled via the Phase 0 ingestion point.
Recommendations
- AI detected serious security threats
Audit Metadata