skill_creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Dynamic Execution] (CRITICAL): The skill is designed specifically to generate and write executable Python code to the local filesystem based on natural language instructions. This provides a direct path for arbitrary code execution. Evidence: 'make_skill.py' writes content directly to '.py' files and the instructions encourage using 'run_skill_script' to execute them.
- [Data Exposure & Exfiltration] (CRITICAL): The script 'make_skill.py' lacks path validation for both 'folder_name' and file 'path' parameters. This allows for Directory Traversal attacks. Evidence: 'target_dir = skills_root / folder_name' and 'file_path = target_dir / f['path']' permit an attacker to use '../../' to write files outside the intended directory, potentially overwriting system configurations or SSH keys.
- [Indirect Prompt Injection] (HIGH): The skill creates an enormous attack surface where untrusted user input is transformed into executable code with no sanitization beyond a basic syntax check. Evidence: Ingestion point is the user prompt in 'SKILL.md'; Capability inventory includes full file-write access and subprocess execution; Sanitization is absent as 'ast.parse' only verifies valid Python syntax, not malicious intent.
- [Persistence Mechanisms] (HIGH): Due to the path traversal vulnerability, this skill can be used to achieve persistence by writing malicious scripts to shell profile directories or startup folders. Evidence: 'make_skill.py' can write any content to any path reachable by the agent process.
Recommendations
- AI detected serious security threats
Audit Metadata