skill-developer
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill architecture creates a surface for indirect prompt injection by ingesting untrusted user input to generate instructions for the AI.
- Ingestion points: The
UserPromptSubmitandPreToolUsehooks read user prompts and tool inputs fromstdinas described inHOOK_MECHANISMS.md. - Boundary markers: The system uses visual delimiters (e.g.,
━━━━━━━━━━) in stdout/stderr, but documentation does not specify instructions to ignore embedded commands within the processed data. - Capability inventory: The hooks possess the capability to block file modifications (Edit/Write tools) by returning exit code 2.
- Sanitization: No explicit sanitization or escaping of the user-provided prompt is mentioned before it is processed by regex or potentially reflected in messages to the AI.
- [Remote Code Execution] (SAFE): Documentation references the execution of local TypeScript scripts using
npx tsx. No patterns of downloading and piping remote scripts (e.g.,curl | bash) were found. - [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials or sensitive file access patterns detected. The system uses local session state files in
.claude/hooks/state/for state management, which is a standard practice for this implementation. - [Prompt Injection] (SAFE): No instructions designed to bypass safety filters or override the agent's core instructions were identified in the trigger patterns or documentation.
Audit Metadata