skill-design
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) because it is intended to ingest and refactor untrusted external skill definitions. Ingestion points: Input SKILL.md and README.md files during refactoring tasks. Boundary markers: Absent; no specific delimiters are defined for the input data being processed. Capability inventory: Generates instructions for shell commands, system persistence, and network operations. Sanitization: Absent; the skill does not specify methods to escape or validate the content of the skills it refactors.
- [EXTERNAL_DOWNLOADS]: The 'Done Checklist' includes an example command 'npx --yes skills-ref validate' which downloads an unverified package from the npm registry.
- [COMMAND_EXECUTION]: The skill provides instructions for the local execution of a command-line validation tool.
- [REMOTE_CODE_EXECUTION]: The use of 'npx --yes' with an unversioned package from the npm registry constitutes a form of remote code execution during the skill validation process.
Audit Metadata