character-card-v3-generator
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection through its card conversion workflow.
- Ingestion points: SKILL.md (Step 2) and popular-card-patterns.md describe a process of loading existing character cards and performing a 'minimal-diff transform' while preserving 'existing intent/content'.
- Boundary markers: Absent. The instructions do not include any guidance on detecting or stripping malicious instructions from existing cards before mapping them to high-authority fields like 'system_prompt'.
- Capability inventory: The generated output directly influences the behavior of downstream AI agents (e.g., in SillyTavern) via the 'system_prompt' and 'post_history_instructions' fields.
- Sanitization: Absent. There is no instruction to validate the safety of the content being transformed.
- COMMAND_EXECUTION (LOW): The skill utilizes a local Python script (scripts/validate_card.py) for structural verification. Analysis of the script shows it is a safe JSON schema validator using standard libraries and does not execute card content as code.
- Dynamic Execution (MEDIUM): As documented in references/regex-scoped-scripts.md, the skill facilitates the creation of 'data.extensions.regex_scripts'. These scripts perform runtime text transformations on the agent's input and output. Malicious input could influence the generation of regex patterns that strip security markers or inject malicious content into the visible UI of the target frontend.
Recommendations
- AI detected serious security threats
Audit Metadata