skill-creator-openai
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [SAFE] (SAFE): No malicious behavior or security vulnerabilities detected. The scripts use
yaml.safe_load()to prevent arbitrary code execution during metadata parsing andPath.resolve()for secure file path handling. Validation logic is present to ensure metadata follows a strict schema. - [Category 7: Metadata Poisoning] (LOW): The
quick_validate.pyscript proactively mitigates metadata poisoning by enforcing a strict hyphen-case regex for skill names and stripping angle brackets (<,>) from descriptions to prevent HTML/XSS injection in downstream UIs. - [Category 10: Dynamic Execution] (SAFE): The code avoids all forms of
eval(),exec(), or unsafe deserialization, opting for thePyYAMLSafeLoader for processing skill configurations.
Audit Metadata