skill-upgrader
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill is susceptible to shell command injection by interpolating user-controlled variables like '{skill_name}' directly into Bash commands such as 'mkdir -p'. Additionally, it executes local Python scripts ('scripts/ragie_query.py') using the 'uv' runner, which is a sensitive capability that assumes the environment's integrity.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection. (1) Ingestion point: Untrusted skill files are read from the file system for processing. (2) Boundary markers: Content from external files is interpolated directly into sub-agent prompts without delimiters or protective instructions. (3) Capability inventory: The skill has extensive privileges including 'Bash', 'Write', and 'Task' tools. (4) Sanitization: No input validation or escaping is applied to the content of the skills being upgraded.
Audit Metadata