create-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill facilitates Indirect Prompt Injection (Category 8) by requiring the agent to process untrusted data while possessing high-privilege capabilities.
- Ingestion points: In SKILL.md Step 1, the agent is instructed to 'Browse the skills directory' and 'Read 1–2 similar skills' (e.g., skills/feature-flags/*).
- Boundary markers: Absent. The agent is not told to ignore embedded instructions in these files.
- Capability inventory: The skill allows the agent to create directories/files (Step 3) and execute arbitrary local Python scripts (scripts/generate_catalog.py, scripts/validate_skills.py) and tests.
- Sanitization: Absent. There is no filtering or validation of the content read from other skills. Per the security framework, the combination of untrusted content ingestion and execution/write capabilities warrants a HIGH severity.
- [COMMAND_EXECUTION] (MEDIUM): The skill explicitly commands the agent to run local Python scripts. While these are presented as repository maintenance tools, they provide a mechanism for arbitrary code execution within the agent's environment. Because the content of these scripts is not provided in the skill package, they constitute unverifiable execution paths.
Recommendations
- AI detected serious security threats
Audit Metadata