Skills
skills/hugorcd/evlog/create-evlog-adapter/Gen Agent Trust Hub

create-evlog-adapter

Pass

Audited by Gen Agent Trust Hub on Mar 8, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill uses unvalidated placeholders like {name} to define file paths such as packages/evlog/src/adapters/{name}.ts. This creates a directory traversal risk where a malicious input could potentially overwrite arbitrary files if the agent does not apply its own safety constraints.
  • Ingestion points: {name}, {Name}, and {NAME} placeholders in SKILL.md and referenced templates.
  • Boundary markers: No boundary markers or 'ignore embedded instructions' warnings are provided for the placeholder content.
  • Capability inventory: The skill creates source and documentation files, modifies configuration files, and executes shell commands via the bun runtime.
  • Sanitization: No sanitization, escaping, or path validation is performed on the user-provided placeholders.
  • [COMMAND_EXECUTION]: The verification section instructs the agent to execute bun run build and bun run test. This pose a risk as it allows for the execution of any code injected into the generated files via the naming placeholders.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 8, 2026, 07:08 PM