skill-auditor
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill defines and executes several bash scripts for managing a central repository, involving commands such as 'mkdir -p', 'ln -s', and Git operations for version control.
- [COMMAND_EXECUTION]: In the 'migrate_skill' function, the skill utilizes 'rm -rf' to remove source directories after they are copied to the central repository. This presents a risk of unintended data destruction if path variables are improperly handled or if symbolic links are mismanaged.
- [COMMAND_EXECUTION]: Every operation is mandated to end with the execution of 'skillshare sync', which is an external command-line tool not included in the trusted vendor list or recognized as a well-known standard service.
- [COMMAND_EXECUTION]: The skill performs an intrusive scan of the user's home directory ('find ~/') to identify files matching the '.claude/skills/*/SKILL.md' pattern, which involves broad filesystem access.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to ingest and parse data from external 'SKILL.md' files. Ingestion points occur during the scan of project-level skills. Although it employs boundary markers like '=== SKILL: ===' to separate different skills, the capability inventory includes high-impact actions like file deletion and external tool execution, and the skill lacks explicit sanitization or validation logic for the content it extracts from these third-party files.
Audit Metadata