create-skills
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and integrate external data (domain knowledge, workflows, and scripts) into a packaged skill format, creating a surface for indirect prompt injection.
- Ingestion points: Untrusted user input defining "领域知识" (domain knowledge), "工作流程" (workflows), and "脚本" (scripts) as described in
SKILL.mdandreferences/skill-initialization-guide.md. - Boundary markers: Absent. The instructions do not mandate the use of delimiters (e.g., XML tags or specific markers) to isolate user-provided knowledge from the agent's instructions during the generation process.
- Capability inventory: The skill involves generating and writing multiple files (
SKILL.md,references/,scripts/), modifying the rootREADME.md(as seen inreferences/checklist.mdsection VI), and performing file system operations like ZIP packaging (references/skill-packaging-guide.md). - Sanitization: Absent. There are no instructions for the agent to validate, escape, or filter the content of the provided domain knowledge before including it in the generated skill's executable or instructional components.
- [PROMPT_INJECTION]: The skill uses extremely forceful steering instructions to control agent behavior, which mimics patterns used in behavioral overrides.
- Evidence:
references/checklist.mdandreferences/best-practice/checklist-guide.mdinclude rules such as "执行规则:逐项勾选...不得跳过" (Execution rule: check one by one... do not skip) and requirements for the AI to "逐项显式勾选" (explicitly check each item) in its output. While intended for quality control, these rigid instructions mandate specific control flows and response formats.
Audit Metadata