skill-auto-activator
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill uses a hook to prepend metadata-derived content to user messages, which introduces a potential indirect prompt injection vulnerability.
- Ingestion points: The skill ingests data from the user's message and from a local
INDEX.yamlfile that contains skill names and descriptions. - Boundary markers: The script uses markdown formatting and a horizontal rule (
---) to separate the injected suggestion from the original user prompt, but it does not include explicit instructions for the AI to ignore any commands potentially embedded in the injected text. - Capability inventory: The script is restricted to reading local files and string manipulation. It does not use
subprocess,eval, orexec, and it does not make any network connections. - Sanitization: While the script uses regex to normalize keywords for matching purposes, it does not sanitize or escape the descriptive text from the metadata file before interpolating it into the prompt.
Audit Metadata