check-all-items
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill executes arbitrary shell commands through its 'After Hook' mechanism. The
validation.commandparameter (defaulting tonpm run quality) allows for the execution of any system command within the agent's context, which can be exploited if the configuration is influenced by an attacker. - REMOTE_CODE_EXECUTION (HIGH): The 'Auto Discovery' mechanism automatically identifies and executes any skill ending in
best-practicewithin theskills/directory. This creates a direct execution vector where an attacker who can drop a file into the local filesystem can gain full code execution when this skill is run. - EXTERNAL_DOWNLOADS (MEDIUM): Documentation in
after-hook-validation.mdindicates that the system may attempt to 'automatically install missing dependencies' if a validation fails. This potentially triggers unverified downloads from external package registries at runtime. - PROMPT_INJECTION (LOW): The skill possesses a significant surface for indirect prompt injection (Category 8):
- Ingestion points: The local
skills/directory andSKILL.mdfiles of discovered items. - Boundary markers: Absent. The skill assumes trust in all files matching the
*-best-practicenaming convention. - Capability inventory: Execution of subprocesses (
npm), reading of local files, and recursive calling of other AI agent skills. - Sanitization: Absent. There is no validation or filtering of the content within the discovered skills before execution.
Recommendations
- AI detected serious security threats
Audit Metadata