skill-creator
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/init_skill.pygenerates new Python source code by interpolating theskill_nameargument directly into a template string using.format(). Because this input is not sanitized or escaped, a maliciously crafted skill name can inject arbitrary Python commands into the generatedexample.pyfile. - [PROMPT_INJECTION]: The
SKILL.mdinstructions (Step 4) explicitly direct the agent to test generated scripts by running them. This establishes an execution path for the code injection vulnerability mentioned above, as an attacker could provide a malicious name that the agent then unknowingly executes. - [EXTERNAL_DOWNLOADS]: The repository includes
scripts/monorepo-generator.skill, which is a binary ZIP archive. Including opaque, non-human-readable executable packages in a skill repository is a security risk as it bypasses static code analysis and can hide malicious logic. - [COMMAND_EXECUTION]: The skill requires the execution of local Python scripts that perform filesystem modifications, including directory creation, file writing, and changing file permissions (
chmod 0o755). - [INDIRECT_PROMPT_INJECTION]: The skill exhibits an attack surface for indirect injection: 1. Ingestion points: Command-line arguments in
scripts/init_skill.py(file: scripts/init_skill.py). 2. Boundary markers: None; user input is directly embedded in code templates. 3. Capability inventory: Filesystem access, permission management, and instructed script execution (file: scripts/init_skill.py). 4. Sanitization: Absent; theskill_nameis used without validation or escaping.
Audit Metadata