skill-scanner
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions and SKILL.md documentation call for the use of the
Bashtool to run a bundled Python script (scripts/scan_skill.py). This tool usage is justified as the primary mechanism for the skill to perform static analysis on target directories. - [PROMPT_INJECTION]: The file
references/prompt-injection-patterns.mdand the scanner scriptscripts/scan_skill.pycontain a comprehensive list of prompt injection and jailbreak patterns (e.g., 'ignore previous instructions', 'DAN mode'). These are clearly defined as signatures for a detection engine and are not intended to be executed as instructions against the host agent. - [REMOTE_CODE_EXECUTION]: The
references/dangerous-code-patterns.mdfile includes examples of reverse shells and malicious code execution (e.g.,os.system('nc -e /bin/sh ...')). These are provided as educational material and search patterns for the scanner, serving as diagnostic data rather than functional code. - [EXTERNAL_DOWNLOADS]: The skill script identifies various untrusted domains (e.g.,
evil.com) in its pattern matching logic to detect data exfiltration. The skill itself does not perform unauthorized external downloads; its only external dependency is the well-knownpyyamlpackage, and it references trusted documentation domains such as Sentry's official sites and GitHub. - [SAFE]: The skill follows security best practices by providing a framework for least-privilege assessment and human-in-the-loop verification of findings. All 'malicious' indicators detected by static analysis are confirmed to be data/signatures rather than active attack vectors.
Audit Metadata