skill-share
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill creates an attack surface by ingesting untrusted user input (skill name and description) and using it to generate SKILL.md files, directory structures, and Slack notifications.
- Ingestion points: User-provided metadata during the 'Initialization' step in SKILL.md.
- Boundary markers: None identified in the provided documentation to separate user input from generated instruction/code templates.
- Capability inventory: Write access to the filesystem (creating directories/zips) and network access via Slack integration (Rube).
- Sanitization: No sanitization logic is described for the user input used in script generation or Slack block formatting.
- [Dynamic Execution] (MEDIUM): The skill documentation explicitly mentions it 'Generates standardized scripts/' and 'Auto-generates YAML frontmatter'. Writing executable scripts to the local filesystem based on user-provided metadata is a form of dynamic code generation that could be exploited to embed malicious logic into the 'created' skills.
- [Data Exfiltration] (MEDIUM): The skill leverages Rube for Slack integration (
SLACK_SEND_MESSAGE,SLACK_POST_MESSAGE_WITH_BLOCKS). While intended for discovery, this mechanism could be abused to exfiltrate sensitive data if an injection attack influences the 'summary' or 'metadata' sent to the Slack workspace.
Recommendations
- AI detected serious security threats
Audit Metadata