skills-index-updater
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection vulnerability surface. The script
update_skill_index.pyreads 'name' and 'description' metadata from the frontmatter ofSKILL.mdfiles found in searched directories and interpolates them into rule files likecline_overview.mdor.clinerules/agents_skills.md. Since these files provide instructions to the AI agent, an attacker who can place a malicious skill file in a scanned directory could inject commands into the agent's rules. - Ingestion points: The script scans multiple directories including
~/Documents/Cline/skills/,~/.kiro/skills/, and.claude/skills/. - Boundary markers: No delimiters or explicit instructions are used in the generated indexes to prevent the agent from obeying instructions embedded in the skill descriptions.
- Capability inventory: The script has file system read/write access and performs directory traversal within user-accessible paths.
- Sanitization: No sanitization or escaping of the extracted 'description' text is performed before it is written to the instruction files.
Audit Metadata