skill-forge
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It ingests data from the current session—which may contain untrusted content from users or external sources—and uses it to generate persistent instructions in the form of new SKILL.md files. (1) Ingestion points: Session context, including all user inputs and tool results (SKILL.md). (2) Boundary markers: Absent; no delimiters are used to separate untrusted data from the instruction template. (3) Capability inventory: 'file: write' and 'mkdir' enable the creation of permanent skill files. (4) Sanitization: Absent; the agent is instructed to directly incorporate session 'discoveries' into new skills.
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes 'bash' and 'file' tools to modify the local filesystem. While limited, these tools are used to implement a persistence mechanism by modifying the agent's own instruction library.
Recommendations
- AI detected serious security threats
Audit Metadata