skill-security-analyzer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's primary function is to process untrusted external data (the skills being analyzed). It lacks explicit boundary markers or instructions to isolate the analyzer's logic from the content of the skills it audits, creating a high risk of the agent obeying malicious instructions embedded within target skills.
- Ingestion points: SKILL.md, scripts, and assets of the analyzed .skill files.
- Boundary markers: Absent; there are no instructions to use delimiters or ignore embedded directives during analysis.
- Capability inventory: Shell execution via unzip and extensive file reading via the view tool.
- Sanitization: Absent; the skill relies on agent reasoning rather than input validation.
- Command Execution (HIGH): The instruction for handling .skill files uses a direct bash command:
unzip skillname.skill. If the skillname variable contains shell metacharacters (e.g.,; rm -rf /), it leads to arbitrary command execution on the host system. - Data Exposure (LOW): The skill is instructed to read from various file paths including user uploads. While functional for an auditor, this access surface is broad.
- Metadata Integrity (SAFE): The metadata provided accurately describes the tool's intended purpose without deceptive formatting.
Recommendations
- AI detected serious security threats
Audit Metadata