skill-best-practices
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's procedure in
SKILL.md(Step 1.3) instructs the agent to execute a local Python script using user-defined metadata variables:python3 scripts/validate-metadata.py --name "[name]" --description "[description]". This pattern of interpolating untrusted input into a command-line string represents a potential vector for command injection if the input strings contain shell metacharacters like;,&, or|. - [PROMPT_INJECTION]: An indirect prompt injection surface is present as the skill processes untrusted user-supplied data (skill name and description) which is then used in a shell-level operation.
- Ingestion points: User-provided
[name]and[description]in theSKILL.mdworkflow. - Boundary markers: The instruction uses double quotes (
"[name]") as a basic but bypassable delimiter. - Capability inventory: Execution of a local Python script via the command line.
- Sanitization: Although the Python script (
scripts/validate-metadata.py) includes logic for regex and keyword validation, these checks occur after the script has been launched, meaning they do not protect against injection during the initial command parsing by the shell.
Audit Metadata