Skills
skills/mthds-ai/skills/mthds-explain/Gen Agent Trust Hub

mthds-explain

Pass

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted MTHDS bundle files, which introduces an indirect prompt injection surface where malicious instructions could be embedded in the data being explained or executed.
  • Ingestion points: Reads .mthds bundle files in Step 1.
  • Boundary markers: The instructions do not define delimiters or provide specific warnings to the model to ignore instructions found within the bundle data.
  • Capability inventory: The skill can execute CLI commands (mthds-agent) and generate local files (live_run.html), which could be leveraged if a bundle is successfully used to inject instructions.
  • Sanitization: There is no evidence of content sanitization or validation before the information is presented to the user or passed to the CLI tool.
  • [COMMAND_EXECUTION]: The skill invokes the mthds-agent CLI for version checks, bundle validation, and execution. These commands are part of the core functionality and utilize tools provided by the vendor 'mthds-ai'.
  • [EXTERNAL_DOWNLOADS]: The skill recommends installing the mthds package from the npm registry. This is the official package for the MTHDS platform and is considered a safe vendor resource.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 14, 2026, 02:31 AM