skill-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to take arbitrary user input and format it into a new SKILL.md file.
- Ingestion points: User prompts describing the purpose, triggers, instructions, guardrails, and examples of a new skill.
- Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the generated markdown.
- Capability inventory: The skill utilizes 'file: write' and 'bash: mkdir' to commit these instructions to the filesystem.
- Sanitization: Absent; the agent is not directed to sanitize user input for escape sequences or malicious instructions before writing.
- Command Execution & Path Traversal (HIGH): The bash and file tools are used with user-controlled variables. Evidence: The command 'mkdir -p skills/[skill-name]' in SKILL.md uses a name provided by the user. A malicious name like '../../sensitive/path' could lead to unauthorized directory creation or file overwrites when combined with the 'file: write' tool.
- Persistence (HIGH): By writing a new skill to the skills/ directory, this meta-skill can be used to permanently alter the agent's behavior across future sessions, which is a characteristic of persistence mechanisms.
Recommendations
- AI detected serious security threats
Audit Metadata