skill-tester
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The
script_tester.pyscript usessubprocess.runto execute Python scripts found within the directory path provided by the user. While this is the intended purpose for testing, it creates a vector for arbitrary code execution if the tool is pointed at a malicious directory. - [EXTERNAL_DOWNLOADS]: The scripts
quality_scorer.pyandskill_validator.pyimport theyamlmodule (PyYAML). This is an external dependency that is not part of the Python standard library, which contradicts the documentation's claim that the skill has "Zero External Dependencies". - [REMOTE_CODE_EXECUTION]: The testing framework facilitates the execution of local files through the
script_tester.pyutility. In an autonomous agent context, an attacker could potentially trick the agent into running malicious code by directing the tester to a compromised path. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted files from the file system without sufficient isolation.
- Ingestion points: The
skill_pathargument defines the source for scripts, metadata, and documentation files processed by the tool. - Boundary markers: None. The tool reads and analyzes file content directly without markers or instructions to ignore embedded logic.
- Capability inventory:
subprocess.runinscript_tester.pyprovides code execution capabilities.Path.read_textacross all scripts allows file system access. - Sanitization: Minimal; the scripts use
Path.resolve()for path validation but do not sanitize the content of the files before analysis or execution.
Audit Metadata