Skills
skills/leastbit/claude_skills_zh-cn/skill-creator/Gen Agent Trust Hub

skill-creator

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFE
Full Analysis
  • Dynamic Execution (SAFE): The script quick_validate.py correctly uses yaml.safe_load() to parse user-provided metadata, preventing arbitrary object instantiation and potential code execution vulnerabilities commonly associated with unsafe YAML loaders.
  • Data Exposure & Exfiltration (SAFE): No network operations (e.g., curl, fetch, requests) or access to sensitive local files (e.g., SSH keys, credentials) were found. The script package_skill.py only performs local zip operations.
  • Unverifiable Dependencies (SAFE): The scripts rely on standard Python libraries (sys, os, re, pathlib, zipfile) and the widely-used PyYAML library. No external scripts are downloaded or executed from the internet.
  • Indirect Prompt Injection (SAFE): While the validation script ingests external SKILL.md content, it performs strict schema validation, key-whitelisting, and length checks without passing any content to an execution or interpolation context that could be exploited.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:09 PM