builder
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): This skill functions as a factory for new instructions and commands. It ingests untrusted user input to generate SKILL.md and command files without boundary markers or sanitization. This is a primary vector for persistent indirect prompt injection. Evidence Chain: 1. Ingestion point: User input provided during /create-agent and /create-workflow. 2. Boundary markers: Absent in provided templates. 3. Capability inventory: File-write operations to ~/.claude/skills/ and ~/.claude/config/. 4. Sanitization: Absent; the agent generates code and skill files directly from user-provided domain needs.
- [Command Execution] (MEDIUM): The skill generates workflow command files (.md) designed to be loaded and executed by the agent system. If poisoned, these commands can execute unauthorized sequences of operations.
- [File System Access] (MEDIUM): The skill's documented workflow requires writing files to directories that define the agent's available tools (~/.claude/skills/ and ~/.claude/config/), allowing for the modification of the agent's operational logic.
Recommendations
- AI detected serious security threats
Audit Metadata