skill-create
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via its web research step. In Phase 1, Step 2, the agent uses WebSearch and a Task subagent to find best practices. Malicious content on the web could trick the agent into including dangerous instructions or faulty logic in the newly created skill.
- Ingestion points: Research results from WebSearch and Task tools in Step 2.
- Boundary markers: None are specified to isolate the retrieved web content.
- Capability inventory: Write access to skills/**, Edit access to configuration, and Bash execution for git and gh.
- Sanitization: No explicit validation of the research data is performed.
- [COMMAND_EXECUTION]: The skill executes local bash scripts like scripts/prepare-skill-pr.sh and standard version control commands (git, gh). These are used to manage the lifecycle of the skill creation process and are considered part of its core functionality.
- [EXTERNAL_DOWNLOADS]: The skill fetches external data through web searches to inform its design process. While it doesn't download binaries, the integration of unverified external data into the codebase presents a risk factor.
Audit Metadata