skill-development
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill implements a custom 'Heir Pull-Sync Protocol' that downloads content from an external source. \n
- Evidence: The
/pullskillcommand inSKILL.mdfetches skill folders and copies them directly into the local.github/skills/directory. \n - Evidence: The
/checkskillscommand reads a remoteskills/skill-registry.jsonfile from the 'Global Knowledge' repository. \n - This custom update mechanism lacks explicit verification or cryptographic signing, potentially allowing the installation of malicious instructions from a compromised registry. \n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its project signal detection and wishlist fulfillment processes. \n
- Ingestion points: The skill scans local project files such as
.github/workflows/,docker-compose.yml,package.json, andrequirements.txt(SKILL.md). \n - Boundary markers: No delimiters or instructions to ignore embedded commands within these scanned files are documented. \n
- Capability inventory: The agent has the capability to write to the local filesystem (
/pullskill), update manifests, and push insights to a shared repository (/saveinsight). \n - Sanitization: There is no evidence of sanitization or validation of the data read from project files before it is processed for skill matching. \n- [COMMAND_EXECUTION]: The skill defines several custom commands that perform sensitive operations on the filesystem and network. \n
- Evidence: The
/pullskill,/checkskills,/fulfillwish, and/saveinsightcommands represent custom execution paths that manage the lifecycle of agent capabilities, modifying local configurations and interacting with remote data sources.
Audit Metadata