check-all-skills
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is highly susceptible to indirect prompt injection because its primary function is to read and process external 'SKILL.md' files.
- Ingestion points: The agent reads content from various
SKILL.mdfiles located in/workspace/projects/skills(documented in Step 2 and Step 3). - Boundary markers: Absent. There are no instructions provided to the agent to treat the content of the external skills as untrusted or to use delimiters to prevent instruction leakage.
- Capability inventory: The skill uses shell commands (
find) and has instructions to perform 'Automatic Repair', which includes file and directory deletion (rmor equivalent). - Sanitization: Absent. There is no validation or sanitization of the content found within the target files before they are processed by the agent.
- Command Execution (LOW): The skill explicitly uses a bash command to traverse directories. While the command itself is static (
find /workspace/projects/skills -maxdepth 1 -name "SKILL.md" -exec dirname {} \;), it interacts with the file system and could be manipulated if a user provides a malicious path in 'Example 2'. - File System Modification (LOW): Step 5 ('Automatic Repair') grants the agent authority to delete 'temporary files' and 'empty directories'. If the agent is successfully manipulated via indirect prompt injection from a malicious skill file, this capability could be used to delete unintended files.
Audit Metadata