Skills
skills/rileyhilliard/claude-essentials/strategy-writer/Gen Agent Trust Hub

strategy-writer

Pass

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: LOWNO_CODE
Full Analysis

The analysis of all 9 provided files (SKILL.md, references/advocate.md, references/analyst.md, references/business-case-template.md, references/customer-insight-template.md, references/market-analysis-template.md, references/researcher.md, references/strategist.md, references/strategy-memo-template.md) revealed no security vulnerabilities. All files consist solely of instructional text and markdown formatting, defining personas, writing principles, forbidden patterns, and document templates for the AI's output generation.

Specifically:

  • Prompt Injection: No patterns attempting to override or bypass the AI's safety guidelines were found. The instructions are constructive, focusing on writing quality and adherence to specific styles.
  • Data Exfiltration: There are no commands or instructions that would access local files (other than the skill's own internal reference files) or perform network operations to send data externally.
  • Obfuscation: No Base64, zero-width characters, Unicode homoglyphs, or other encoding techniques were detected that could hide malicious content.
  • Unverifiable Dependencies: All referenced files (references/*.md) are local to the skill package and were included in the analysis. No external package installations (e.g., npm install, pip install) or remote script downloads were found.
  • Privilege Escalation: No commands like sudo, chmod, or attempts to modify system configurations were present.
  • Persistence Mechanisms: No instructions to modify shell configurations (.bashrc), create cron jobs, or establish other persistence methods were found.
  • Metadata Poisoning: The name and description fields in SKILL.md are benign and accurately reflect the skill's purpose.
  • Indirect Prompt Injection: While any skill processing external user input could theoretically be susceptible to indirect injection, this skill's primary function is to generate content based on user prompts and internal guidelines, not to process untrusted external data sources in a way that would trigger this risk.
  • Time-Delayed / Conditional Attacks: No conditional logic based on dates, usage counts, or environment variables was detected.

In conclusion, this skill is purely instructional and does not execute any code or interact with the system in a way that could pose a security risk. It is categorized as a 'NO_CODE' skill.

Audit Metadata
Risk Level
LOW
Analyzed
Feb 12, 2026, 02:10 PM