skill-stocktake
Pass
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface identified. The skill ingests content from other SKILL.md files to evaluate them against a checklist.\n
- Ingestion points: The scan.sh script extracts metadata fields, and the Phase 2 subagent reads the full inventory of skills.\n
- Boundary markers: Absent in the subagent evaluation prompt.\n
- Capability inventory: The skill executes local bash scripts (scan.sh, quick-diff.sh, save-results.sh) and writes to a results.json file.\n
- Sanitization: No specific sanitization or escaping is performed on the ingested skill content.\n- [COMMAND_EXECUTION]: The skill uses local shell scripts to perform inventory and state management tasks. These scripts employ defensive practices such as using mktemp for temporary files and jq for safe JSON construction.\n- [DATA_EXPOSURE]: The skill reads from ~/.claude/skills/ and ~/.claude/observations.jsonl. This access is necessary for its primary function of auditing existing skills and calculating usage frequency.
Audit Metadata