skill-creator
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Python
subprocessmodule to execute system commands. Inscripts/run_eval.pyandscripts/run_loop.py, it invokes theclaudeCLI to run evaluations of other skills. Ineval-viewer/generate_review.py, it executeslsofto manage network ports used by the evaluation viewer's local HTTP server. - [EXTERNAL_DOWNLOADS]: The
eval-viewer/viewer.htmlfile includes a script tag that loads the SheetJS library fromcdn.sheetjs.com. This download is from a well-known service and is used for rendering spreadsheet data within the evaluation viewer. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface (Category 8) because it is designed to ingest and process untrusted external content as part of the skill creation and optimization workflow.
- Ingestion points: Untrusted data enters the agent context via
evals/evals.json,feedback.json, and user-provided skill drafts. - Boundary markers: The skill uses XML-style tags such as
<new_description>to delimit generated content, though these do not provide a complete defense against adversarial content. - Capability inventory: The skill has capabilities including filesystem write access, network communication via the Anthropic API, and subprocess command execution.
- Sanitization: The evaluation viewer uses basic HTML escaping to prevent XSS during result rendering, but the core logic relies on prompt instructions rather than robust data sanitization for instruction isolation.
Audit Metadata