skill-registry
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8). \n
- Ingestion points: Metadata is extracted from
SKILL.mdfiles discovered in user-level directories (e.g.,~/.claude/skills/) and workspace directories (e.g.,{project-root}/skills/). \n - Boundary markers: Absent. The skill extracts raw text from the
nameanddescriptionfields and interpolates them directly into a markdown registry table. \n - Capability inventory: The skill writes to the local file system (
.atl/skill-registry.md) and uses themem_savetool to persist configuration data in the agent's memory. \n - Sanitization: Absent. Metadata is extracted from external files and processed without validation or escaping. \n- [DATA_EXFILTRATION]: The skill performs broad scans of sensitive user-level configuration directories associated with various AI development tools, including
~/.claude/skills/,~/.gemini/skills/,~/.cursor/skills/, and others. While the collected data (skill names and paths) remains local or in internal agent memory, this broad directory scanning represents a data exposure risk. \n- [COMMAND_EXECUTION]: The skill performs automated file system modifications, including the creation of the.atl/directory and modification of the project's.gitignorefile to manage its own registry artifacts.
Audit Metadata