time-to-skill
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The installation instructions (
npx skills add shihyuho/skills) involve downloading code from a third-party GitHub repository that is not on the trusted whitelist. - [CREDENTIALS_UNSAFE] (HIGH): The skill's primary function is to record "Exact commands used" and "Code templates" from user activity. If a user executes commands containing sensitive secrets (e.g., API keys or passwords) multiple times, the skill will automatically capture these into persistent pattern documentation files, leading to sensitive data exposure.
- [PROMPT_INJECTION] (HIGH): This skill represents a significant indirect prompt injection surface (Category 8).
- Ingestion points: It monitors all user interactions, including data the user may be processing from untrusted external sources (e.g., a README from another repo).
- Boundary markers: None. The skill directly extracts text and commands into documentation templates without delimiters.
- Capability inventory: The documented patterns are passed to
skill-creator, which has the capability to generate and execute newSKILL.mdfiles. This allows an attacker to potentially trick the agent into creating a persistent, malicious skill based on 'observed' behavior. - Sanitization: No evidence of sanitization or validation of the captured content before it is prepared for skill creation.
- [PROMPT_INJECTION] (MEDIUM): The "OpenCode Plugin" functionality explicitly injects a system prompt reminder into every session, which modifies the agent's core instructions and forces a state of constant monitoring without explicit per-task consent.
Recommendations
- AI detected serious security threats
Audit Metadata