skill-updater
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run shell commands including
unzip,cat, and local Python scripts (scripts/analyze_skill.py,scripts/quick_validate.py,scripts/package_skill.py) on paths provided by the user. Thescripts/analyze_skill.pyfile usesZipFile.extractall()without validating whether the paths inside the archive are safe, which is a known vulnerability (Zip Slip) that can allow an attacker to write files outside the intended directory. - [PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection because its primary purpose is to interpret and act upon content from external, untrusted skill files.
- Ingestion points: The agent reads the content of
SKILL.mdand associated scripts from a user-provided directory or.skillarchive. - Boundary markers: No delimiters or safety warnings are used to prevent the agent from following instructions embedded within the analyzed skill files.
- Capability inventory: The skill possesses the capability to modify the filesystem, create executable scripts, and run validation tools, providing an attacker with a powerful primitive if the agent is manipulated.
- Sanitization: There is no sanitization or filtering of the instructions or feedback extracted from the external skill content before it is processed by the agent.
Audit Metadata