skill-improver
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill executes local bash scripts (
backup-skill.sh,verify-update.sh) to perform file management and validation. These scripts operate on directory paths provided by the agent or user without validation, allowing for potential misuse of shell commands on arbitrary directories. - DATA_EXFILTRATION (MEDIUM): The
scripts/backup-skill.shscript executes a recursive copy (cp -R) of a user-provided directory to a backup location. An attacker could exploit this to read sensitive system files (e.g.,~/.sshor~/.aws/credentials) by passing a sensitive path as the 'skill path', effectively exposing private data in a readable backup folder. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection.
- Ingestion points: The skill reads external
improvement-plan-*.mdfiles to extract suggested content. - Boundary markers: No boundary markers or instructions are used to distinguish plan content from system instructions.
- Capability inventory: The skill possesses
EditandWritetool capabilities and can execute local bash scripts, which can be leveraged to persistently modify other agent skills. - Sanitization: No sanitization or safety validation is performed on the 'Suggested content' before it is applied to target files.
Audit Metadata