skill-share
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's primary function is to scaffold new executable skill packages based on user instructions, creating a high-risk injection surface. 1. Ingestion points: User-supplied skill names, descriptions, and functional requirements used to populate metadata and directory structures. 2. Boundary markers: No delimiters or isolation protocols are defined in the documentation to prevent user input from overriding the structure of the generated skill. 3. Capability inventory: Write access to the local filesystem and the ability to send messages externally via Slack. 4. Sanitization: There is no evidence of input validation or escaping for the generated SKILL.md files.
- [Command Execution] (MEDIUM): The skill relies on Python scripts to perform directory creation and file packaging, meaning it executes logic that is dynamically influenced by user-provided metadata.
- [Data Exfiltration] (MEDIUM): The integration with Slack via Rube (SLACK_SEND_MESSAGE) allows the agent to transmit data to an external network. This could be exploited to leak sensitive information from the skill creation directory under the guise of skill metadata.
Recommendations
- AI detected serious security threats
Audit Metadata