skill-creator-plus
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function includes reviewing external, untrusted SKILL.md files, which creates a significant attack surface for indirect prompt injection.\n
- Ingestion points: Specifically identifies 'Reviewing existing SKILL.md files' and references 'references/skill-review-checklist.md' as targets for processing.\n
- Boundary markers: Absent. The instructions do not provide delimiters or warnings to the agent to treat the reviewed content as untrusted data.\n
- Capability inventory: The skill explicitly allows for the execution of Python scripts (
init_skill.pyandpackage_skill.py) which could be targeted by an injection attack.\n - Sanitization: Absent. There is no evidence of input validation or content filtering for the files being analyzed.\n- [Command Execution] (MEDIUM): The creation workflow instructs the agent to run local scripts (
scripts/init_skill.py,scripts/package_skill.py) using user-defined variables such as<name>and<path>. This pattern is susceptible to command injection if the agent does not strictly validate these inputs before invoking the subprocess.
Recommendations
- AI detected serious security threats
Audit Metadata