skill-developer
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The system documentation describes the execution of local shell scripts and TypeScript files via
npx tsxtriggered during prompt submission and tool usage. While this is the intended functionality for the auto-activation system, it creates a pattern of executing local code based on agent-detected triggers. Evidence: HOOK_MECHANISMS.md referencesskill-activation-prompt.shandskill-verification-guard.sh.\n- [PROMPT_INJECTION] (LOW): The architecture includes built-in methods to bypass security guardrails, such as the@skip-validationfile marker and environment variable overrides (envOverride). These features allow users to intentionally circumvent enforcement logic. Evidence: SKILL_RULES_REFERENCE.md and HOOK_MECHANISMS.md.\n- [EXTERNAL_DOWNLOADS] (LOW): The use ofnpx tsxto run hook logic may result in the download and execution of thetsxpackage from the npm registry if it is not cached locally. Evidence: HOOK_MECHANISMS.md.\n- [PROMPT_INJECTION] (LOW): The system exhibits an attack surface for Indirect Prompt Injection. Evidence Chain:\n - Ingestion points: The hooks ingest raw user prompts and read file contents to perform pattern matching against
contentPatterns. Evidence: HOOK_MECHANISMS.md and TRIGGER_TYPES.md.\n - Boundary markers: The documentation does not specify any delimiters or sanitization techniques to prevent untrusted data from influencing agent behavior during analysis.\n
- Capability inventory: The hook system has the capability to block file-writing tools and inject instructions into the agent's context as a system message. Evidence: HOOK_MECHANISMS.md.\n
- Sanitization: No mention of data sanitization or escaping of ingested file content before use.
Audit Metadata