Skills
skills/famaoai-creator/gemini-skills/mission-control/Gen Agent Trust Hub

mission-control

Pass

Audited by Gen Agent Trust Hub on Mar 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the node runtime to spawn subprocesses for executing other specialized skills.
  • Evidence: In src/lib.ts, the executeCommand function utilizes node:child_process's spawn to run commands. The orchestrate function builds arguments and executes local scripts.
  • [REMOTE_CODE_EXECUTION]: The orchestrator dynamically resolves paths to local script files and executes them based on input from a MissionContract JSON file.
  • Evidence: In src/lib.ts, script paths are constructed using path.join(process.cwd(), contract.skill, scriptRelativePath) and executed via the Node.js binary. Security is mitigated by a whitelist check against a local global_skill_index.json.
  • [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it processes external JSON contracts to determine its execution flow.
  • Ingestion points: The skill reads a MissionContract from a file path provided via command-line arguments in src/index.ts.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the processing of the contract data.
  • Capability inventory: The skill has the capability to spawn subprocesses (spawn) and write to the file system (safeWriteFile) in src/lib.ts.
  • Sanitization: The skill performs a lookup against a local global_skill_index.json to validate the requested skill name before execution, which provides a layer of protection against arbitrary path execution.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 2, 2026, 03:25 AM