skill-creator
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk capability tier by combining untrusted data ingestion with write and execute permissions.
- Ingestion points: The
<description>argument inSKILL.mdis the primary entry point for untrusted instructions. - Boundary markers: There are no technical delimiters or sanitization logic to prevent the agent from obeying instructions embedded in the description to write malicious code.
- Capability inventory: The skill uses the
Writetool to create files and theBashtool to modify permissions and execute commands. - Sanitization: No input validation or code-generation safety checks are implemented; the skill relies on the agent's reasoning.
- Privilege Escalation (MEDIUM): In
SKILL.mdstep 5, the agent is explicitly instructed to grant execution permissions (chmod +x) to dynamically generated scripts. This bypasses standard security boundaries for newly created files. - Dynamic Execution (MEDIUM): The skill generates arbitrary shell, Python, or Node.js code at runtime based on natural language input. This 'code-as-data' pattern is dangerous when the input source is untrusted.
- Persistence (HIGH): The skill installs new executable artifacts into
~/.claude/skills/or.claude/skills/. This ensures that any malicious functionality created via prompt injection remains active and available in all future agent sessions.
Recommendations
- AI detected serious security threats
Audit Metadata