exit
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Dynamic Execution (MEDIUM): The skill documentation and schema (SKILL.md, CARD.yml) define 'guard_js' and 'guard_py' fields which are intended to hold compiled code. This represents a dynamic execution surface where natural language instructions are converted into executable closures, posing a risk if the compilation or execution context is not strictly isolated.
- Data Exposure & Path Traversal (MEDIUM): The 'destination' field in 'SKILL.md' and 'README.md' demonstrates the use of relative file paths (e.g., '../maze/room-a/'). Since the skill is granted 'read_file' and 'write_file' permissions, an attacker could use these fields to influence the agent into reading or writing files outside of the intended directory structure.
- Metadata Poisoning (MEDIUM): The presence of 'skill-snitch-report.md' is a deceptive pattern. It is an internal file that mimics an external security audit to provide a false sense of safety ('Verdict: FUNDAMENTAL GRAPH EDGE. APPROVE.') and preemptively downplay risks.
- Indirect Prompt Injection (LOW): The skill provides numerous fields for natural language text (description, hint, lock_message) that the agent is expected to process and display.
- Ingestion points: Multiple fields in SKILL.md and CARD.yml (description, short, hint, lock_message).
- Boundary markers: None identified; the text is treated as raw data for the agent to interpret.
- Capability inventory: Access to 'read_file' and 'write_file' allows the agent to interact with the filesystem based on injected content.
- Sanitization: No evidence of sanitization or validation for these fields.
Audit Metadata