skill-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted user input to generate file structures, documentation, and executable scripts.
- Ingestion points: User-provided examples and requirements for new skills (Step 1).
- Boundary markers: None. The instructions do not specify any delimiters or safety checks for the content being generated.
- Capability inventory: The skill can create directories (Step 3), write files (Step 4, 5), and execute shell scripts (Step 7).
- Sanitization: None. There is a high risk that an attacker-provided skill definition could result in the creation of malicious scripts in the
scripts/directory which are then executed on the system. - Command Execution (MEDIUM): Step 7 of the skill provides a direct path for the agent to execute arbitrary code found within the repository.
- Evidence: "If a packaging script exists in the repo, run it to validate and package the skill."
- Risk: This instruction forces the agent to execute a script without verifying its contents or origin, leading to potential local code execution if the repository state has been compromised or if the user tricks the agent into creating a malicious 'packaging script'.
Recommendations
- AI detected serious security threats
Audit Metadata