skill-lookup
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill downloads content from
prompts.chat, which is not an approved trusted source. It retrieves not only text instructions but also 'helper scripts' and 'configuration files'. - [REMOTE_CODE_EXECUTION] (HIGH): The workflow involves saving retrieved scripts directly to the local file system (
.claude/skills/). This facilitates the installation of unverified code that can be subsequently executed by the agent or the underlying system. - [COMMAND_EXECUTION] (MEDIUM): The installation process uses external metadata (the skill 'slug' and 'filenames') to determine file paths. Without explicit sanitization, this is vulnerable to path traversal attacks where a malicious skill could attempt to write files outside the intended directory.
- [INDIRECT_PROMPT_INJECTION] (LOW): This skill is highly susceptible to indirect prompt injection. Content from
SKILL.mdis read back and integrated into the agent's instructions without sanitization or boundary markers, allowing an attacker-controlled skill to hijack the agent's behavior. - Ingestion points:
get_skilltool output (file contents from registry). - Boundary markers: Absent; the instructions simply say to 'Read back SKILL.md' and 'confirm installation'.
- Capability inventory: File system writes, persistent skill installation, instruction following.
- Sanitization: Absent; files are saved exactly as retrieved from the remote source.
Recommendations
- AI detected serious security threats
Audit Metadata