skill
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
extensions/factory/validator.pyscript executes generated skill code and tests usingsubprocess.run(['uv', 'run', 'pytest', ...]). This execution happens on the host system without robust virtualization or container-based isolation, allowing potentially malicious code to run with the agent's privileges. - [REMOTE_CODE_EXECUTION]: The
extensions/factory/core.pymodule uses an LLM to generate Python scripts from natural language requirements and writes them directly to theassets/skills/directory. When combined with the automated validator and 'jit_install' capabilities, this creates a pipeline for executing code derived from untrusted input. - [PROMPT_INJECTION]: The
extensions/factory/harvester.pyscript processes session history (untrusted data) to detect skill creation requests, which are then passed to the code generator without sanitization or boundary markers. Additionally, theSKILL.mdfile contains instructions labeled as[CRITICAL]andMANDATORY RULEdesigned to override the agent's default tool-calling logic. - [EXTERNAL_DOWNLOADS]: The
data/known_skills.jsonfile contains a list of skill identifiers linked to external GitHub repositories (e.g.,github.com/omni-dev/skill-pandas). Theskill.jit_installcommand is designed to fetch and activate these remote resources. - [DATA_EXFILTRATION]: The
scripts/discovery.pytool returns metadata that includes absolute or relative local file paths for source code and documentation, exposing the system's directory structure. Thescripts/templates.pymodule allows reading file contents viaget_template_sourcebased on user-supplied parameters.
Recommendations
- AI detected serious security threats
Audit Metadata