verify-claims

The skill verify-claims and its metadata file _meta.json were analyzed for security vulnerabilities. No malicious patterns were detected.

1. Prompt Injection: No attempts to override the LLM's behavior or bypass safety guidelines were found. The use of 'CRITICAL:' within the skill's instructions is for emphasis and not a malicious injection attempt.

2. Data Exfiltration: No sensitive file paths (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) are accessed. The skill instructs the agent to perform network operations (Fetch:, web_fetch) to retrieve information from wikipedia.org and various fact-checking websites. These operations are central to the skill's legitimate purpose of fact-checking. No exfiltration of sensitive user data to non-whitelisted or malicious domains was detected.

3. Obfuscation: No obfuscation techniques such as Base64 encoding, zero-width characters, Unicode homoglyphs, or URL/hex/HTML encoding were found.

4. Unverifiable Dependencies: The skill instructs the agent to Fetch: https://en.wikipedia.org/wiki/List_of_fact-checking_websites (Line 60 in SKILL.md). Wikipedia is considered a trusted external source for informational content. This is noted as an informational finding but does not elevate the overall risk.

5. Privilege Escalation: No commands indicating privilege escalation (e.g., sudo, chmod +x, chmod 777, service installations) were found.

6. Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, crontab, authorized_keys) were detected.

7. Metadata Poisoning: The _meta.json file and the YAML front matter in SKILL.md are clean and do not contain any malicious instructions.

8. Indirect Prompt Injection: The skill's core functionality involves fetching and processing content from external websites using web_fetch. This inherently makes the skill susceptible to indirect prompt injection if a malicious actor were to embed instructions within the content of a fact-checking website (even a legitimate one if compromised). The skill attempts to mitigate this by explicitly excluding 'Fraudulent fact-checking websites' based on the Wikipedia list, but the general risk remains for any skill processing external, untrusted content. This is an informational risk inherent to the task, not a direct vulnerability in the skill's code.

9. Time-Delayed / Conditional Attacks: The skill includes conditional logic based on content age (e.g., '3 days old or less') for legitimate purposes (scheduling follow-up fact-checks). This is not indicative of a malicious time-delayed attack.

Conclusion: The skill is well-behaved and adheres to security best practices within its design. The identified external download is from a trusted source, and the inherent risk of indirect prompt injection from processed web content is a general consideration for such skills, not a specific vulnerability introduced by this skill's instructions.