skill-manager
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection. It is designed to ingest and store data (logs and configurations) from external/untrusted skills and specifically instructs the AI agent to 'analyze' this data to 'discover patterns' or 'identify problems'.
- Ingestion points: Data enters the system via
save_configandsave_logsmethods inscripts/skill_manager.py. - Boundary markers: No delimiters or instructions are provided to the agent to treat stored data as untrusted or to ignore embedded commands.
- Capability inventory: The AI agent is directed to use this data for reasoning and decision-making (analysis/optimization), providing a pathway for malicious content to influence agent behavior.
- Sanitization: No sanitization or validation is performed on the ingested content.
- [DATA_EXFILTRATION] (HIGH): The skill implementation lacks isolation or access control. It provides a global, shared JSON database where any skill can access any other skill's data by name.
- Exposure: The
get_all(),get_config(), andlist_skills()methods inscripts/skill_manager.pyallow any caller to retrieve data belonging to any other skill. This would lead to the exposure of sensitive configurations or credentials if stored by other skills. - Integrity: Any skill can overwrite or delete another skill's data using
save_config()ordelete(), as there is no verification of the caller's identity.
Recommendations
- AI detected serious security threats
Audit Metadata