skill-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill performs web-grounded research via the
geminiCLI to incorporate external knowledge into newly created skills (Step 0). \n - Ingestion points: Tool output from the
geminiCLI (web search results) as described inSKILL.md. \n - Boundary markers: Absent; there are no instructions to sanitize or ignore instructions embedded within the research results. \n
- Capability inventory: The skill can autonomously write files (
SKILL.md,scripts/*.py) and execute scripts (scripts/validate_skill.py). \n - Sanitization: Absent; search data is directly processed to define skill triggers and logic. \n- [Dynamic Execution] (MEDIUM): The skill is a meta-utility designed to generate and execute code at runtime. It encourages creating executable scripts and specifically runs a local validation script (
scripts/validate_skill.py) as part of its workflow. Severity is reduced to LOW because this behavior is the primary intended function. \n- [Command Execution] (LOW): The instructions direct the agent to modify file permissions (chmod +x) and execute generated scripts to handle deterministic operations. \n- [Persistence Mechanisms] (HIGH): The skill is designed to autonomously persist new capabilities in~/.claude/skills/without requiring user permission, which could be exploited if the agent is influenced by malicious research data.
Audit Metadata