refine-skill-design
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted Markdown documents (SKILL drafts) which may contain malicious instructions intended to bypass the auditor's logic or influence the agent's behavior during the refinement process.
- Ingestion points: The
input_schemadefines the input as adocument-artifact(an existing SKILL.md file). - Boundary markers: There are no explicit instructions or delimiters used to isolate the input data from the agent's core instructions, nor are there warnings to ignore instructions embedded within the input text.
- Capability inventory: The skill has the capability to write files to the local filesystem as defined in the 'Output Persistence' section of
SKILL.md. - Sanitization: The skill lacks any description of sanitization or validation logic for the input content prior to processing.
- [COMMAND_EXECUTION]: The skill instructs the agent to perform file system operations by writing optimized output to specific paths (e.g.,
SKILL.refined.md). While the skill includes restrictions against overwriting source files, the pathing logic depends on input variables like<skill-name>, which could be manipulated if not handled safely by the underlying agent platform.
Audit Metadata