skill-creator-plus
Warn
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (MEDIUM): The skill executes Python scripts (
package_skill.pyandquick_validate.py) located within an external skill directory (skill-creator). This represents dynamic execution of code that is not contained within the skill itself, relying on the integrity of the external skill's path. - [Indirect Prompt Injection] (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted user data to validate output quality.
- Ingestion points: Step 2 (Validation Phase) where users provide example pairs (Input Document -> Standard Output Document).
- Boundary markers: None. The documents are passed directly to sub-agents via the
Task()function without delimiters or instructions to ignore embedded commands. - Capability inventory: The skill can execute local Python scripts and dispatch further sub-agents.
- Sanitization: None. There is no evidence of filtering or escaping content within the provided documents.
- [Data Exposure] (LOW): The skill performs file system operations, specifically writing to project-level (
.claude/skills/) and user-level (~/.claude/skills/) directories. While this is consistent with its stated purpose of saving created skills, it grants the agent persistent write access to the user's home directory.
Audit Metadata