agent-skill-maker
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill fetches content from
agentskills.ioand explicitly instructs the agent that this content should "override any cached knowledge." This domain is not in the trusted source list. If the external site is compromised, an attacker can hijack the agent's behavior and bypass existing safety guidelines by providing malicious 'specifications'. - Ingestion points: Step 0 uses
WebFetchto retrieve content from external URLs; Step 1 ingests raw user arguments. - Boundary markers: None. No instructions are given to ignore or sanitize embedded commands in the fetched content.
- Capability inventory: Step 5 allows for file creation, directory creation, and changing file permissions (
make them executable). - Sanitization: None.
- Remote Code Execution / Command Execution (HIGH): The skill directs the agent to create supporting scripts based on user-provided instructions and external documentation, and then perform the equivalent of a
chmod +xoperation ("make them executable"). This allows an attacker (via user input or poisoned documentation) to drop and prepare malicious binaries or scripts for execution on the host system. - Data Exposure (MEDIUM): In Step 2, the skill attempts to search for files in the user's home directory (
~/.*/skills/...). This provides a mechanism for an attacker to verify the existence of specific directories or files in sensitive user areas via path traversal or probing instructions.
Recommendations
- AI detected serious security threats
Audit Metadata