The Agent Skills Directory

[COMMAND_EXECUTION]: The skill frequently executes shell commands to perform its auditing functions. These include running Python modules (python -m scripts.aggregate_benchmark, python -m scripts.run_loop), executing scripts by path (python <skill-creator-path>/eval-viewer/generate_review.py), and managing processes (kill $VIEWER_PID). These commands incorporate variables like skill names and file paths derived from the skills being audited. This creates a risk of command injection if the target skill provides maliciously crafted metadata or file paths.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because its primary function is to ingest and analyze untrusted data from other skills.
Ingestion points: The skill reads the SKILL.md, references, scripts, and assets of the target skill, as well as its execution transcripts and user feedback.
Boundary markers: The instructions for the internal agents (Grader, Comparator, Analyzer) do not include specific delimiters or warnings to ignore potentially malicious instructions embedded within the audited content.
Capability inventory: The skill possesses significant capabilities, including file system access (read/write), shell command execution, and the ability to spawn subagents.
Sanitization: There is no evidence of validation or sanitization of the content extracted from target skills before it is processed by the evaluation agents or interpolated into shell commands.

skill-auditor