create-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The execution logic explicitly states it will insert user input "completely as provided by the user, without modification" into the generated SKILL.md file. This creates a significant vulnerability where a user can provide a skill description that contains hidden instructions or jailbreak attempts. When the agent subsequently loads or reads the newly created skill, it will execute those instructions as if they were part of the system's own skill library.
- Ingestion points: User input fields for "Skill Name", "Description", and "Tools".
- Boundary markers: Absent. The skill deliberately avoids modifying or delimiting the input.
- Capability inventory: Write, Bash, Read, Glob. These allow the agent to modify the file system and potentially execute commands.
- Sanitization: Non-existent for the 'description' field beyond a minimum length check. While 'name' has a regex, it does not prevent malicious content in the other fields.
- Command Execution (MEDIUM): The skill uses the 'Bash' tool to perform file system operations. While intended for directory creation, the combination of bash access with a workflow that generates new executable instructions (skills) increases the impact of any successful injection.
- Persistence (MEDIUM): The skill modifies the agent's permanent configuration directory (
.claude/skills/). Any malicious instructions injected via this tool will persist across sessions and influence future agent behavior until manually deleted.
Recommendations
- AI detected serious security threats
Audit Metadata