Skills
skills/ewanyuan/cox-coding/skill-evolution-driver/Gen Agent Trust Hub

skill-evolution-driver

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • COMMAND_EXECUTION (HIGH): The scripts/restore_skill.py script contains a high-privilege file system operation. It uses shutil.rmtree() on a path provided via the --skill-dir argument without verifying that the path is restricted to a specific 'safe' directory. An attacker could potentially manipulate the agent into running this script against sensitive system or application directories, leading to total data loss and replacement with malicious content.
  • Evidence (scripts/restore_skill.py): Line 23 performs shutil.rmtree(skill_dir), and lines 36-39 move extracted content from a temporary directory into the targeted directory.
  • PROMPT_INJECTION (MEDIUM): The references/optimization_guide.md and scripts/manage_optimization_tasks.py establish a framework for 'skill evolution' driven by task descriptions. If an attacker provides a malicious task description (e.g., in a PR or issue that the agent reads), they could use Indirect Prompt Injection to influence the 'driver' agent to perform unsafe modifications under the guise of an 'optimization task'.
  • Evidence (scripts/manage_optimization_tasks.py): The create_task and add_task functions allow arbitrary strings for description and optimization_type to be saved into the configuration used by the evolution driver.
  • INDIRECT PROMPT INJECTION (HIGH): The skill possesses a high-risk capability tier (Write/Execute) combined with an ingestion surface (External content processing via management scripts).
  • Ingestion points: scripts/manage_optimization_tasks.py accepts external descriptions for tasks.
  • Boundary markers: Absent. The scripts process input as raw strings.
  • Capability inventory: shutil.rmtree, shutil.move, zipfile.extractall, and file writing in update_version.py and backup_skill.py.
  • Sanitization: Limited to path normalization (os.path.normpath), which does not prevent access to unauthorized directories.
  • COMMAND_EXECUTION (LOW): scripts/backup_skill.py uses the compile() function to validate Python scripts for syntax errors. While this does not execute the code, it is a form of dynamic code processing that should be monitored.
  • Evidence (scripts/backup_skill.py): Line 76 uses compile(code, script_path, 'exec').
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:46 PM