skill-management
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill documents and enables the use of dynamic context injection using the backtick syntax (represented as ❗️
commandin the text). This allows for the execution of arbitrary shell commands on the host system to populate prompt context, which is a high-privilege capability.- REMOTE_CODE_EXECUTION (MEDIUM): The support for $ARGUMENTS interpolation into dynamic shell commands (e.g., in the 'pr-summary' example) creates a direct path for shell injection if arguments are not properly sanitized by the calling agent.- INDIRECT_PROMPT_INJECTION (LOW): The skill is intended to 'Create, update, and manage' other skills, creating an attack surface for persisting malicious instructions. - Ingestion points: The skill logic processes user/agent input to write and modify SKILL.md files in
~/.claude/skills/or.claude/skills/. - Boundary markers: The documentation lacks instructions for implementing delimiters or 'ignore' instructions when handling untrusted user input.
- Capability inventory: The system supports shell command execution (
!command) and subagent forking (context: fork). - Sanitization: No sanitization or validation logic is specified for the input stored in managed skill files.
Audit Metadata