skill-best-practice
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection. It processes untrusted data (directory names and SKILL.md metadata from multiple skill folders) and uses that data to perform high-privilege file operations.
- Ingestion points: The skill reads directory names in 'skills/' and YAML front-matter in 'SKILL.md' files.
- Boundary markers: Absent; the skill does not instruct the agent to ignore or delimit instructions found in the external skill files.
- Capability inventory: The skill has the authority to 'directly modify' the root 'README.md' and 'SKILL.md' files, delete 'redundant' files, and execute system commands defined in 'dependency.system'.
- Sanitization: Absent; skill names and metadata are interpolated directly into the library's main documentation and report templates.
- COMMAND_EXECUTION (MEDIUM): The skill's 'dependency.system' and 'auto-fix' instructions encourage the agent to perform sensitive filesystem operations, including permission changes ('chmod +x') and file deletions. Because these actions are driven by external inputs, a malicious skill could trigger harmful system-level changes or bypass security boundaries.
Recommendations
- AI detected serious security threats
Audit Metadata