skill-maker
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted user data to generate file systems and documentation. * Ingestion points: User input gathered via the clarification loop (references/input_validation.md). * Boundary markers: Absent; no delimiters or safety warnings are used when interpolating user data into generated markdown or YAML. * Capability inventory: File system write operations (creating SKILL.md, references/, and scripts/ directories) and README.md modification. * Sanitization: Absent; user-provided strings are not validated against injection patterns before being written to disk.
- Remote Code Execution (MEDIUM): The skill structure includes a scripts/ directory for executable code. If the agent generates these scripts based on user descriptions without sandboxing, it enables user-influenced code execution.
- Metadata Poisoning (MEDIUM): User-controlled strings are placed in the repository README.md, allowing for the injection of instructions that could mislead other agents or users.
Recommendations
- AI detected serious security threats
Audit Metadata