Skills
skills/otrebu/agents/plugin-creator/Gen Agent Trust Hub

plugin-creator

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • Indirect Prompt Injection (HIGH): The skill takes an untrusted description from the user and writes it directly into plugin.json, README.md, and marketplace.json.\n
  • Ingestion points: The CLI argument passed to create-plugin.ts in scripts/create-plugin.ts.\n
  • Boundary markers: Absent. The user input is interpolated directly into file templates.\n
  • Capability inventory: writeFileSync (file modification), mkdirSync (directory creation), and Bash(tsx:*) (command execution).\n
  • Sanitization: The pluginName is sanitized using a regex /[^a-z0-9-]/g, but the description itself is written verbatim into the files. A malicious description containing markdown headers or instructions (e.g., 'Ignore previous instructions') could compromise the agent if these files are later read as context.\n- Command Execution (HIGH): The SKILL.md instructions recommend executing a Bash command: tsx create-plugin.ts "<description>".\n
  • If the agent interpolates the description without escaping, a user can provide a value like \"; touch pwned; #\" to execute arbitrary shell commands. While the script's internal logic sanitizes for file paths, it cannot protect against injection occurring at the shell invocation layer.\n- Persistence Mechanisms (LOW): The script modifies marketplace.json, which acts as a local registry for plugins. While intended for scaffolding, this allows persistent modification of the agent's environment state.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:21 AM