continuous-skill-optimizer
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/execute.pyexecutes local benchmarking logic viasubprocess.run. The implementation uses a list-based command structure, which is a secure practice that prevents shell injection attacks. Additionally, the skill's documentation inSKILL.mdexplicitly lists the expected command-line usage. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because its primary function is to ingest and process instructions from target
SKILL.mdfiles. - Ingestion points: Target
SKILL.mdfiles and evaluation sets are read from paths specified by the user or the caller, as defined in the Discovery Phase ofSKILL.md. - Capability inventory: The skill has the capability to execute sub-processes via
scripts/execute.pyand write to the filesystem (e.g.,evals/results.tsv). - Boundary markers: While the skill follows a procedural optimization loop, it lacks explicit instructions to ignore potentially malicious directives embedded within the target skill's description or metadata during the analysis phase.
- Sanitization: The provided execution scripts do not include specific sanitization or filtering of the external skill content being processed.
- [DATA_EXFILTRATION]: Analysis of
scripts/execute.pyreveals a proactive security control where sensitive environment variables (GITHUB_TOKEN,GH_TOKEN, andCOPILOT_GITHUB_TOKEN) are explicitly removed before the optimization loop is executed. This prevents sub-processes from accidentally accessing or exposing the user's credentials.
Audit Metadata