skill-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): In Step 4, the skill is instructed to 'Execute any scripts referenced in the skill using the shell.' This allows for arbitrary code execution of any script file discovered within the workspace. While this is the primary purpose of a testing tool, the lack of sandboxing or script validation presents a significant risk if the workspace contains untrusted files.
- PROMPT_INJECTION (LOW): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it is designed to ingest and faithfully follow instructions from external workspace files.
- Ingestion points: Reads and parses
SKILL.md,references/documents, andscripts/from the local workspace. - Boundary markers: None. The instructions explicitly state to 'follow the skill's instructions exactly' and 'do not shortcut or skip steps.'
- Capability inventory: Full shell execution of local scripts, file system write access for report generation, and network access via web search/URL fetch tools.
- Sanitization: No sanitization, escaping, or validation of the untrusted instructions or script content is performed.
- REMOTE_CODE_EXECUTION (LOW): Step 3 allows the use of URL fetch tools (fetch, tavily, jina reader, etc.) to retrieve content from the web. If an attacker controls the content of a URL fetched by the skill, they could potentially inject instructions that are then 'faithfully' executed by the agent during the simulation phase.
Audit Metadata