skill-creator
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/run_eval.pyusessubprocess.Popento execute theclaudeCLI tool, passing user-supplied query strings directly as command-line arguments to test triggering behavior. - [COMMAND_EXECUTION]: The utility
eval-viewer/generate_review.pyexecutes system commandslsofandkillviasubprocess.runto manage processes listening on local network ports. - [REMOTE_CODE_EXECUTION]: The skill implements an iterative optimization cycle in
scripts/run_loop.pythat generates new skill instructions (executable prompts) using an LLM and then executes them in the local environment to evaluate their effectiveness. - [DATA_EXPOSURE]: The script
eval-viewer/generate_review.pyrecursively reads files from the workspace directory and encodes them into Base64 for embedding within an HTML review report. - [COMMAND_EXECUTION]: The
scripts/run_eval.pyscript writes temporary markdown files to the.claude/commands/directory to dynamically inject and test new agent capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata