skill-architect
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONNO_CODE
Full Analysis
- [COMMAND_EXECUTION]: The skill requests unrestricted
Bashtool access and directs the agent to execute various local scripts (e.g.,init_skill.py,validate_skill.py). While the intended use is for skill management, the broad permission allows for the execution of arbitrary commands if the agent is misled. - [PROMPT_INJECTION]: The skill is designed to ingest and audit external skills, creating a primary vector for indirect prompt injection. A malicious skill being reviewed could contain hidden instructions intended to hijack the agent's session and utilize its
BashorWritecapabilities. - Ingestion points: Processes
SKILL.mdfiles, scripts, and repository structures during the auditing and improvement workflows (SKILL.md Steps 4-5). - Boundary markers: None identified. The instructions do not specify using delimiters or warnings to ignore instructions embedded within the data being audited.
- Capability inventory: Access to
Read,Write,Edit, andBashtools provides a high-privilege environment for an injection to exploit. - Sanitization: None identified. The skill does not provide mechanisms to sanitize or validate the content of the skills it audits.
- [NO_CODE]: The skill package references multiple functional scripts in its core instructions (such as
scripts/init_skill.pyandscripts/validate_skill.py) that are not included in the distribution. This results in 'phantom tools' that may lead to agent confusion or attempts to find/generate missing logic.
Audit Metadata