skill-share
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted user input (skill name and description) and interpolates it directly into generated SKILL.md files and Slack messages. This creates a vulnerability surface where malicious instructions could be embedded in the skill metadata (Cat 8).
- Ingestion points: User-provided skill name and description via natural language commands.
- Boundary markers: Not present. There is no mention of delimiters or 'ignore' instructions used when wrapping user data in templates.
- Capability inventory: The skill has write access to the file system (creating directories, scripts, and ZIP files) and network output capabilities (Slack messaging via Rube).
- Sanitization: No sanitization, escaping, or validation logic is documented for the user-provided strings before they are processed.
- Data Exposure & Exfiltration (MEDIUM): The integration with Rube for Slack messaging enables the automated transmission of generated content to external channels. If an attacker leverages the injection point, they could potentially exfiltrate sensitive environment data or system information by including it in the 'skill summary' posted to Slack.
Recommendations
- AI detected serious security threats
Audit Metadata