rust-skill-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is designed to ingest untrusted external data and transform it into executable agent skills, a classic Indirect Prompt Injection surface.
- Ingestion points: The skill accepts arbitrary URLs via the
/create-llms-for-skillscommand as seen in SKILL.md. - Boundary markers: None. There are no instructions to the agent to ignore or delimit instructions found within the fetched documentation.
- Capability inventory: The workflow culminates in the
/create-skills-via-llmscommand which writes persistent skill files to the filesystem at~/.claude/skills/(noted in SKILL.md). - Sanitization: No sanitization or validation logic is defined to prevent the scraped documentation from containing malicious instructions that would then be saved as a new skill.
- [EXTERNAL_DOWNLOADS] (HIGH): The skill facilitates downloading and processing content from any URL provided by the user or constructed from crate names.
- While documentation sites like
docs.rsare common, the workflow explicitly supports 'Custom URLs' which allows an attacker to point the agent to a malicious server hosting a tailoredllms.txtpayload. - [COMMAND_EXECUTION] (MEDIUM): The skill instructs the agent to execute custom slash commands (
/create-llms-for-skillsand/create-skills-via-llms) that perform network operations and local file modifications.
Recommendations
- AI detected serious security threats
Audit Metadata