skill-upload
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted data from local directories provided by users (specifically SKILL.md and configuration files) and has powerful capabilities including Bash and file submission. Malicious content in the ingested files could override agent behavior.
- Ingestion points: File content reading in '结构审核' (Step III) using Read, bash, and find tools.
- Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the files being audited/uploaded.
- Capability inventory: Bash (ls, find), Edit, and mcp__skill-uploader__submit_skill (external data transmission).
- Sanitization: Absent for natural language instructions; the skill only excludes specific directories like node_modules and .git.
- Credentials Unsafe (HIGH): The skill explicitly asks the user to provide an UPLOAD_SECRET in the cleartext chat session. It also instructs users to hardcode a GITHUB_TOKEN in a plaintext JSON configuration file (mcpServers config), which violates credential safety best practices.
- Command Execution (LOW): Uses bash to execute local discovery commands (ls, find). While standard for file management, these tools can be used for unauthorized data exploration if the agent is compromised via injection.
Recommendations
- AI detected serious security threats
Audit Metadata