skill-neovim-research
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill utilizes unsafe shell interpolation within its Bash stages.
- Evidence: In Stage 2, the variable
$task_numberis interpolated directly into a jq filter string:select(.project_number == '$task_number'). This allows for jq filter injection if the input is not strictly validated as an integer. - Evidence: In Stage 3, an unquoted heredoc (
<< EOF) is used to create a marker file. This allows for shell expansion of variables like${session_id}. If the session ID or other metadata can be influenced by an attacker, it could lead to arbitrary command execution during the heredoc processing. - Evidence: In Stage 3, the variable
$project_nameis used directly in directory creation (mkdir) and file paths, presenting a risk of path traversal or command injection if the project name contains shell metacharacters or../sequences. - [PROMPT_INJECTION] (LOW): The skill possesses a surface for Indirect Prompt Injection (Category 8).
- Ingestion points: The skill reads and parses JSON data from
specs/state.json(Stage 1) and.return-meta.json(Stage 6), the latter of which is produced by a subagent that researches Neovim documentation on the web. - Boundary markers: No delimiters or "ignore embedded instructions" warnings are used when processing these files.
- Capability inventory: The skill has the ability to execute Bash commands, write to the filesystem, and perform Git operations (
git add,git commit). - Sanitization: Sanitization is inconsistent; while some jq operations use
--arg, many others rely on direct shell interpolation, making the skill vulnerable to malicious data injected via the subagent's output metadata.
Audit Metadata