CreateSkill
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill possesses an indirect prompt injection surface as it is designed to read and process potentially untrusted skill files and user customization data. 1. Ingestion points: Reads content from SKILL.md files and preference files in ~/.claude/skills/. 2. Boundary markers: No explicit delimiters or instructions are used to ignore embedded directives in the read content. 3. Capability inventory: Significant file manipulation (mkdir, touch, cp, mv) and command execution (bun, curl). 4. Sanitization: No sanitization is performed on the ingested data before processing.
- [COMMAND_EXECUTION] (LOW): The skill directs the agent to execute multiple system commands (ls, mkdir, cp, mv, find, grep) for managing skill directories and files. The severity is low because these actions are essential to the skill's primary management purpose.
- [DATA_EXFILTRATION] (SAFE): A curl command is used to send JSON payloads to localhost:8888 for voice notifications. Localhost is a whitelisted domain for local communication.
Audit Metadata