skill-hub
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (CRITICAL): The skill uses the
alma skill install <user/repo>command to fetch code from theskills.shecosystem. This source is not on the trusted repository list and allows for the introduction of arbitrary, unvetted code into the agent's environment. - REMOTE_CODE_EXECUTION (CRITICAL): The entire purpose of the skill is to extend the agent's capabilities at runtime by installing new scripts. Because these skills are executed with
BashandWritepermissions, any malicious skill found in the ecosystem can execute arbitrary system commands, access files, or establish persistent backdoors. - PROMPT_INJECTION (HIGH): The 'Self-Evolution Flow' section explicitly instructs the agent to be 'proactive' and search for/install new skills when it encounters a task it cannot currently perform. This creates a behavioral loophole where an attacker can trick the agent into installing a 'helper' skill that contains malicious instructions or jailbreaks.
- INDIRECT PROMPT INJECTION (HIGH):
- Ingestion points: Metadata and instructions from
SKILL.mdfiles downloaded from theskills.shregistry (e.g., viaalma skill search). - Boundary markers: Completely absent; the agent is encouraged to treat external skill instructions as authoritative extensions of its own logic.
- Capability inventory: Full access to
Bash,Read, andWritetools, allowing downloaded skills to perform any action the agent can. - Sanitization: None; there is no evidence of code signing, hash verification, or sandbox isolation for installed skills.
Recommendations
- AI detected serious security threats
Audit Metadata