skill-lookup
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches skill metadata and file contents, including scripts and configuration files, from the external
prompts.chatMCP server, which is an untrusted community-driven source. - [REMOTE_CODE_EXECUTION]: Provides instructions to retrieve and save arbitrary helper scripts (Python, shell, etc.) from a remote repository to the local directory
.claude/skills/. This mechanism allows potentially malicious code from a third-party to be placed on the host system for subsequent execution. - [COMMAND_EXECUTION]: Directs the agent to perform filesystem operations, specifically directory creation (
mkdir) and file writing, using unverified content retrieved from an external network source. - [PROMPT_INJECTION]: High risk of indirect prompt injection. The skill ingests data from an external platform (
prompts.chat) into the agent's context without sanitization or boundary markers. - Ingestion points:
get_skilltool output (SKILL.md and other files). - Boundary markers: None present; the instructions do not suggest wrapping external content in delimiters or warning the agent to ignore embedded instructions.
- Capability inventory: File system write access to
.claude/skills/. - Sanitization: None; the skill saves retrieved file contents directly to the filesystem.
Recommendations
- AI detected serious security threats
Audit Metadata