go-package-skill-creator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection. Ingestion points: Documentation is fetched from an external source (
https://pkg.go.dev/<import-path>) in step 2 of the workflow defined in SKILL.md. Boundary markers: There are no explicit instructions or delimiters used to warn the agent that the fetched content should be treated as untrusted data or to ignore embedded instructions. Capability inventory: The skill uses theWritetool (Step 7) to create or modify files based on the fetched data, which could be exploited to write malicious content if the documentation is poisoned. Sanitization: No validation or sanitization is performed on the content retrieved from the external Go registry.
Audit Metadata