skill-system-router
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell and PowerShell scripts to manage the skill index and run operations from other skills. It uses the
powershell.exe -ExecutionPolicy Bypassflag to ensure internal automation scripts can run on Windows environments. - [COMMAND_EXECUTION]: Command patterns involve dynamic parameter substitution into shell scripts defined in skill manifests. The router includes a mandatory policy check step against a local database (
skill_system.policy_profiles) before execution to mitigate unauthorized actions. - [COMMAND_EXECUTION]: Uses
node -eandpython -cto perform inline JSON processing during the index rebuilding process. This involves executing dynamically generated script strings using locally available runtimes. - [COMMAND_EXECUTION]: The bootstrap process modifies the project's
AGENTS.mdfile. This is an intended persistence mechanism for project-level configuration, allowing subsequent agent sessions to recognize the skill system. - [DATA_EXFILTRATION]: Interacts with the GitHub API via the
ghCLI to search for and create issues. It uses local git configuration (git remote) to resolve repository targets. These operations target a well-known service (GitHub) and are consistent with the skill's management purpose. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface when generating GitHub issues. Ingestion points: User-provided inputs (title, summary, impact, repro_steps) in
scripts/report-improvement-issue.md. Boundary markers: None used in the issue body template. Capability inventory:ghCLI for issue creation, shell execution for index rebuilding, and SQL for policy/logging inSKILL.md. Sanitization: Agent is instructed to keep content factual and omit sensitive data, but no programmatic escaping is applied.
Audit Metadata