skill-creator
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (LOW): The specification defines a framework for Indirect Prompt Injection.
- Ingestion points: The framework relies on the agent reading and processing
SKILL.mdfiles, which include both metadata (name, description) and a markdown body containing instructions. - Boundary markers: Metadata is delimited using XML-like tags in the system prompt as described in
skill-client-integration.md. However, the markdown body is read directly by the agent (e.g., viacat) without inherent boundary markers to prevent the agent from following malicious instructions embedded in the data. - Capability inventory: The guide explicitly describes agents executing shell commands and using tools based on the instructions discovered in these skills, creating a path from untrusted input to execution.
- Sanitization: The validation script (
quick_validate.py) includes basic sanitization by disallowing angle brackets (<,>) in the description to prevent tag-injection in the XML prompt structure, but no sanitization is applied to the instructional markdown body.
Audit Metadata