skill-pipeline
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill provides a large surface for indirect prompt injection via external content ingestion. 1. Ingestion points: The agent is instructed to fetch and summarize data from arbitrary URLs defined in sources.md files during the Research and Refinement phases. 2. Boundary markers: Absent; no delimiters or ignore-embedded-instruction warnings are specified. 3. Capability inventory: The skill can modify files in the ~/skills/ directory, execute git push to remote repositories, and run npx commands. 4. Sanitization: Absent; external data is integrated directly into skill documentation and workflows.
- COMMAND_EXECUTION (MEDIUM): The skill automates file and repository management via shell commands. Evidence: SKILL.md and iteration.md contain blocks for git add, git commit, and git push, as well as directory iteration loops.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill executes code from unverified external registries. Evidence: Frequent instructions to run npx skills update, which downloads and executes code from the npm registry, posing a supply chain risk if the package is malicious or shadowed.
Recommendations
- AI detected serious security threats
Audit Metadata