skill-lookup
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill is designed to fetch and save arbitrary files from an untrusted external MCP server (prompts.chat).
- Evidence (SKILL.md): The instructions explicitly direct the agent to 'Save each file to the appropriate location', specifically including 'Scripts
- Helper scripts (Python, shell, etc.)'.
- REMOTE_CODE_EXECUTION (HIGH): By automating the process of downloading scripts and configuration files from a non-whitelisted remote source to the local file system (
.claude/skills/), the skill creates a direct path for Remote Code Execution. - Evidence (SKILL.md): The
get_skilltool retrieves 'all file contents', which are then written to the disk. An attacker serving a malicious skill could include scripts that perform unauthorized actions once the agent or user interacts with them. - DATA_EXFILTRATION (LOW): The skill communicates with a non-whitelisted external domain (
prompts.chat) to perform searches and retrievals, which is an unverified network operation. - INDIRECT PROMPT INJECTION (LOW): The skill lacks sanitization or boundary markers for the data it ingests from the external MCP server.
- Ingestion points: Data returned by
search_skillsandget_skilltools. - Boundary markers: Absent; the agent is instructed to save and present data as-is.
- Capability inventory: File system writing and network access (via MCP tools).
- Sanitization: Absent; no validation of file names, content, or script safety.
Recommendations
- AI detected serious security threats
Audit Metadata