skill-generator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest user-provided methodology and write it into new executable skill files (.md). This is a Category 8 vulnerability. There are no boundary markers or sanitization processes to prevent an attacker from embedding malicious instructions that would be 'learned' and then persistently executed by the agent. Generated skills (like the API docs example) are granted high-privilege tools such as bash_tool and web_fetch.\n
- Ingestion points: User instructions captured from conversation (SKILL.md).\n
- Boundary markers: None identified.\n
- Capability inventory: Generated skills use bash_tool, web_search, web_fetch.\n
- Sanitization: None.\n- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill relies on an unverified local binary skill-learner (Category 4). Furthermore, generating and executing new markdown-based skill files constitutes dynamic execution (Category 10). Since the instructions for these new skills come from untrusted user input, this creates a path for persistent Remote Code Execution (RCE). Calling the binary with unsanitized user strings also risks shell injection.
Recommendations
- AI detected serious security threats
Audit Metadata