skill-editor
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: High surface for indirect prompt injection due to the skill's primary function of refactoring other agents. Ingestion points: The skill processes user-provided specifications and reads existing SKILL.md files for modification. Boundary markers: No explicit delimiters are used to separate untrusted content from the orchestrator's system instructions. Capability inventory: Significant privilege including file writing, git manipulation, and the ability to launch any other agent via the Task tool. Sanitization: It performs structural validation (YAML/JSON parsing) but does not filter the logical content of the instructions it refactors.
- [COMMAND_EXECUTION]: Local system operations for configuration management. The skill executes git commands and repository-local scripts (./sync-config.py) to apply changes to the system. It contains a hardcoded absolute path (/Users/davidangelesalbores/...) in the experimental-tagging.sh script; while consistent with the vendor's context, this limits portability and could lead to execution errors in different environments. The skill's primary purpose is the dynamic creation and modification of executable agent behavioral logic in the user's skill directory.
Audit Metadata