skill-architect
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The 'Automation Protocol' section explicitly instructs the agent to 'Write the necessary script' and 'Ensure the script is executable (chmod +x)'. This pattern grants the agent the ability to execute arbitrary commands on the host system without human-in-the-loop validation of the script's contents.
- REMOTE_CODE_EXECUTION (HIGH): The skill facilitates the creation and execution of code (shell, Python, or ADB) based on user-provided descriptions. This allows an attacker to bypass standard constraints by describing a 'skill' that performs malicious actions, which the architect will then codify and execute.
- INDIRECT_PROMPT_INJECTION (LOW): This skill is highly susceptible to indirect injection. Evidence chain:
- Ingestion points: User-provided workflow descriptions and 'interaction patterns' (SKILL.md).
- Boundary markers: None; the instructions do not include delimiters or warnings to ignore instructions within the user-provided data.
- Capability inventory: File system write access, directory creation, permission modification (chmod), and script execution (scripts/).
- Sanitization: None; the skill faithfully 'drafts' and 'deploys' whatever logic the user provides into the agent's permanent skill directories (~/.gemini/antigravity/skills/).
Recommendations
- AI detected serious security threats
Audit Metadata