skill-audit
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is explicitly designed to analyze untrusted external code and instructions from third-party repositories and local directories. This represents a maximum attack surface for Indirect Prompt Injection.
- Ingestion points: Uses
WebFetchfor GitHub URLs andRead/Globfor local file systems as specified in the README. - Boundary markers: The documentation claims to treat content as untrusted, but without the actual skill definition, the effectiveness of delimiting markers cannot be verified.
- Capability inventory: Accesses system files via
Read,Grep, andGlob; performs network requests viaWebFetch. - Sanitization: Claims to redact secrets and use isolated execution, but the fundamental risk of an agent processing adversarial instructions remains.
- External Downloads (LOW): The skill downloads remote content from GitHub (
api.github.comandraw.githubusercontent.com). While these are common sources, they are used here to pull potentially malicious skill code into the local environment for analysis. - Data Exposure (MEDIUM): The skill requires access to sensitive local paths such as
.claude/skills/and.claude/commands/to perform its audit functions. While necessary for its stated purpose, this provides a pathway for reading local configuration and skill data.
Recommendations
- AI detected serious security threats
Audit Metadata