mine-skill
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted data from user-specified directories provided in the
$ARGUMENTSfield. This constitutes an indirect prompt injection surface. The analysis involves reading and synthesizing patterns from these files using the Read, Write, and Bash tools without explicit boundary markers to delimit untrusted content or sanitization routines to prevent the execution of embedded instructions. - [COMMAND_EXECUTION]: The skill executes a Python script using the Bash tool. The script, located at
scripts/inventory_plugin.py, is a pointer containing a directory traversal path (../../../scripts/inventory_plugin.py) which references code residing outside the skill's own directory. - [EXTERNAL_DOWNLOADS]: The skill's setup documentation instructs the user to run
pip install, a command used to download and install external packages from public registries. While the requirements file currently points to a relative local path, the workflow encourages external package retrieval.
Audit Metadata