mcp-to-skill
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The SKILL.md documentation includes a command that executes a script located at a hardcoded absolute path in the user directory (~/.claude/skills/skill-creator/scripts/package_skill.py). This creates a dependency on an external script not provided within the skill package.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because its core functionality involves parsing untrusted external codebase metadata to generate instructions for new skills.
- Ingestion points: The analyze_mcp.py script reads file contents from .ts, .tsx, and .py files in a project directory provided at runtime.
- Boundary markers: There are no protective delimiters or instructions to ignore embedded commands when the extracted descriptions are placed into the new SKILL.md templates.
- Capability inventory: The skill's output is used to create new executable files and system instructions, which could lead to code execution if the input project is malicious.
- Sanitization: No sanitization or validation is performed on the extracted strings before they are incorporated into the generated skill definition.
Audit Metadata