CreateSkill
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands like
mkdir,cp,mv,touch,find, andgrepto manage the file system. These operations are restricted to the agent's internal skill directories (~/.claude/skills/). - [DYNAMIC_EXECUTION]: The skill is designed to create TypeScript tools and execute them using the
bunruntime. It includes instructions for mapping natural language user intents to CLI flags, which is a standard pattern for the described system. - [DATA_EXFILTRATION]: The skill performs
curlPOST requests tohttp://localhost:8888/notifyfor local voice and text notifications. Since the target is localhost, this does not represent an external exfiltration risk. - [INDIRECT_PROMPT_INJECTION]: The skill includes mechanisms to load user-defined customizations from a specific local directory (
~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/CreateSkill/). While this provides an entry point for external data, it is a documented feature for user preferences. - Ingestion points: Reads user preferences and resources from a dedicated local path.
- Boundary markers: None; the skill assumes valid configuration files.
- Capability inventory: File system modification, local network notifications, and execution of local TypeScript files via
bun. - Sanitization: None; relies on the agent's internal logic to process and apply the loaded configurations.
Audit Metadata