skill-optimizer
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external
SKILL.mdfiles and directory structures provided by the user. - Ingestion points: Users provide paths (e.g.,
C:\Users\admin\.claude\skills\my-skill) or raw content of other skills to be optimized. - Boundary markers: None. The skill does not implement delimiters or 'ignore' instructions for the content it analyzes.
- Capability inventory: The skill executes shell commands (
mkdir -p), runs a local Python script (init_skill_structure.py), and rewrites local files (Step 4 and 5). - Sanitization: None detected. Malicious instructions inside an 'optimized' skill could trick the agent into performing unauthorized file system operations during the analysis or rewriting phases.
- Privilege Escalation (HIGH): In
workflow/step3-创建目录结构.md, the instructions explicitly tell the agent: '如遇权限问题,使用管理员权限' (If you encounter permission problems, use administrator privileges). Encouraging the agent to escalate privileges to perform file system operations is a major security risk. - Command Execution (MEDIUM): The skill frequently uses the agent's ability to execute local system commands and Python scripts.
- Evidence:
SKILL.mdandworkflow/step3-创建目录结构.mdinstruct the agent to runmkdir -pandpython scripts/init_skill_structure.py <skill-path>. While the script itself is included in the package and appears to only create directories, the pattern of execution combined with user-provided paths is risky.
Recommendations
- AI detected serious security threats
Audit Metadata