skill-factory
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from external sources (Phase 1: Research) which is subsequently used to generate and validate new skill code (Phase 3: Create). This workflow presents an attack surface where malicious instructions embedded in research data could influence the code generation or validation process.
- Ingestion points: Research materials stored in
docs/research/skills/(File: references/workflow-architecture.md). - Boundary markers: Phase 2 ('Format') is described as cleaning UI artifacts, but no explicit boundary markers or 'ignore' instructions are documented to isolate research content from the generation prompt (File: references/workflow-examples.md).
- Capability inventory: The skill uses
SlashCommandto create files, invoke other skills, and execute local scripts likescripts/quick_validate.py(File: references/workflow-execution.md). - Sanitization: Documentation mentions removing navigation elements but does not describe semantic sanitization or instruction filtering for the ingested content (File: references/workflow-examples.md).
- Command Execution (SAFE): The skill orchestrates its workflow by invoking internal slash commands (e.g.,
/meta-claude:skill:research) and executing local helper scripts. These operations are part of the stated functionality of the skill-factory and are invoked within a controlled environment. - Data Exposure & Exfiltration (SAFE): Documentation references the use of
FIRECRAWL_API_KEYas an environment variable. No hardcoded credentials or unauthorized data transmission patterns were identified in the provided reference files (File: references/troubleshooting.md).
Audit Metadata