lenny-skillpack-creator
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The script 'scripts/package_skillpack.py' uses 'subprocess.call' to execute local Python scripts. While the command is relatively controlled, the ability to spawn subprocesses using paths derived from input parameters presents a security risk.\n- EXTERNAL_DOWNLOADS (MEDIUM): The 'scripts/fetch_refound_skills.py' script utilizes the 'requests' library to download content from 'refoundai.com', which is not a trusted external source. This script automatically retrieves SKILL.md or HTML files that are subsequently processed as instructions by the agent.\n- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its core function of processing external data.\n
- Ingestion points: Data is fetched from external URLs via 'fetch_refound_skills.py' and 'extract_lenny_skill.py'.\n
- Boundary markers: The prompt instructions in 'SKILL.md' do not utilize robust delimiters or instructions to ignore embedded commands within the source data.\n
- Capability inventory: The skill package includes scripts with the ability to write to the filesystem and access the network.\n
- Sanitization: There is no evidence of sanitization or validation of the external content before it is processed for skill generation.\n- DYNAMIC_EXECUTION (MEDIUM): Following Category 10, this skill is designed to generate new executable content (skill packs containing markdown instructions and optional scripts) at runtime based on external, untrusted input.
Audit Metadata