skill-to-card
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npxto fetch and execute thegray-matterandsundial-hubpackages from the NPM registry. While these are legitimate dependencies, they are resolved and executed at runtime. - [COMMAND_EXECUTION]: Shell commands such as
npx,uv run, andcurlare constructed by the agent using user-provided strings including skill names, descriptions, and changelogs. The instructions do not specify input validation or escaping, creating a vulnerability to command injection if malicious characters are included in the user input. - [REMOTE_CODE_EXECUTION]: Validation of frontmatter is performed using an inline Node.js script executed via
npx. This dynamic execution of logic is used to enforce formatting but remains a sensitive execution pattern. - [DATA_EXFILTRATION]: High-value tokens (
SUNDIAL_TOKEN,GEMINI_API_KEY) are stored in the shell environment. Due to the command injection surface, an attacker could potentially craft input that triggers a subshell command to transmit these tokens to an external server. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it processes untrusted user-provided content.
- Ingestion points: User-provided skill descriptions and context files in Step 1.
- Boundary markers: No specific delimiters or safety instructions are used to separate user content from agent instructions.
- Capability inventory: Network access (curl), file system access, and command execution (npx, uv).
- Sanitization: No sanitization or validation mechanisms are described for the user-provided data before it is processed or passed to external utilities.
Audit Metadata