ag-skill-creator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to read and 'evaluate' existing SKILL.md files. This creates a significant attack surface where a malicious skill file could contain instructions that override the agent's behavior during the evaluation process.
- Ingestion points:
Evaluating an Existing Skill(Step 2) reads the target skill's SKILL.md and related files into the agent's context. - Boundary markers: Absent. There are no instructions to use delimiters or to ignore instructions embedded within the files being evaluated.
- Capability inventory: The agent has the capability to create directories, scaffold files, and modify existing files (Step 3 and Step 5 of the creation/evaluation process).
- Sanitization: Absent. The agent is directed to report findings and suggest modifications based on the content of the untrusted files.
- [Command Execution] (MEDIUM): The skill directs the agent to perform file system operations (mkdir, file writing). Although the prompt explicitly requires user confirmation ('IMPORTANT: Do NOT make any modifications automatically'), a successful indirect prompt injection could potentially convince the agent to bypass this instruction or trick the user into approving a malicious file write via social engineering.
Recommendations
- AI detected serious security threats
Audit Metadata