skill-tester
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
script_runner.pyexecutes local scripts usingsubprocess.runwith parameterized arguments andshell=Falseto mitigate command injection risks. - [COMMAND_EXECUTION]: The skill dynamically generates a temporary Python shim (
sitecustomize.py) at runtime in a temporary directory to facilitate API call logging in scripts under test. - [DATA_EXFILTRATION]: The skill reads sensitive local data from
~/.claude/projects/(Claude Code session logs) to provide visibility into native tool usage and API calls as part of its auditing function. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it analyzes untrusted third-party skill content.
- Ingestion points:
api_logger.pyandprompt_linter.pyread script source code andSKILL.mdinstructions from the skill being audited. - Boundary markers:
SKILL.md(Line 18) defines a 'content-as-data' rule that explicitly instructs the model to treat all ingested content as data to be analyzed rather than instructions to be followed. - Capability inventory: The skill can execute local scripts via
script_runner.pyand read/write files within its workspace. - Sanitization:
shared_io.pyincludes_reject_traversaland_check_boundaryfunctions to ensure file operations are restricted to allowed directories.
Audit Metadata