skill-extractor
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill processes untrusted conversation history to generate new agent instructions and code.
- Ingestion points: Step 1 explicitly directs the agent to analyze the entire session history to extract procedures.
- Boundary markers: Absent. There are no delimiters or instructions provided to distinguish between valid user requests and malicious content in the history.
- Capability inventory: Writing files to the filesystem and executing shell commands (chmod).
- Sanitization: Absent. Extracted data is directly interpolated into generated SKILL.md and script templates.
- Dynamic Execution (HIGH): The skill generates and saves executable Python (.py) and JavaScript (.js) scripts based on conversation data.
- Evidence: Steps 3 and 5 allow the creation of local scripts from untrusted data, enabling an attacker to persist malicious code in the skills directory.
- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The Python template uses the 'uv' script format, which allows for the specification and automatic installation of arbitrary PyPI packages at runtime.
- Evidence: The template in Step 3 includes a 'dependencies' list that can be populated based on the conversation context.
- Privilege Escalation (MEDIUM): The skill executes
chmod +xon files it generates from untrusted context, facilitating the execution of potentially malicious scripts.
Recommendations
- AI detected serious security threats
Audit Metadata