skill
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
npxutility to execute thesundial-hubCLI tool for administrative tasks such as searching for skills, adding them to projects, and managing authentication. It also executes a local shell script,scripts/validate_skill.sh, to verify the integrity of skill directories. - [REMOTE_CODE_EXECUTION]: There is a technical vulnerability in
scripts/validate_skill.sh. The script executes a Python command where a shell variable ($SKILL_MD) is interpolated directly into the Python source string:content = open('$SKILL_MD').read(). If the file path contains single quotes and Python commands (e.g.,path/to/my' + __import__('os').system('ls') + '), it could lead to arbitrary code execution when the validation script is run. - [DATA_EXFILTRATION]: The skill includes a
pushworkflow that transmits local skill files and metadata to the Sundial Hub usingnpx sundial-hub push. This is the intended behavior of the publishing feature but involves the outbound transfer of local directory contents. - [PROMPT_INJECTION]: The skill is designed to ingest and process external skill files (Category 8) during its improvement and evaluation workflows.
- Ingestion points: Reads
SKILL.mdand related files from local directories or those fetched from the hub (documented inSKILL.md). - Boundary markers: No explicit XML delimiters or isolation instructions are provided to the agent when it reads and processes the content of external skills.
- Capability inventory: The skill has extensive permissions including network access (via
npx), local script execution, and file system writes (documented inSKILL.mdandscripts/validate_skill.sh). - Sanitization: The skill does not implement validation or filtering on the content of the skills it reads before processing them, relying instead on the agent's internal safety filters.
Audit Metadata