skill-creator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION] (SAFE): The
package_skill.pyscript executes a local validation script (quick_validate.py) viasubprocess.run. The command is constructed safely using a list of arguments and a locally resolved path to the script, which prevents shell injection. - [DYNAMIC_EXECUTION] (SAFE): The
quick_validate.pyscript usesyaml.safe_load()to parse the frontmatter ofSKILL.mdfiles. This is a secure method for processing YAML that prevents execution of arbitrary code embedded in the data. - [EXTERNAL_DOWNLOADS] (SAFE): No network operations, external downloads, or exfiltration patterns were identified in any of the files. Scripts operate entirely on the local file system.
- [PROMPT_INJECTION] (SAFE): The documentation files (
output-patterns.md,workflows.md) contain examples of formatting and workflow instructions. These are pedagogical examples for developers and do not contain malicious injection payloads targeting the agent or analyzer.
Audit Metadata