skill-creator
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocess.Popeninscripts/run_eval.pyto execute theclaudeCLI tool. This is a core component of the skill's ability to test and benchmark how other skills trigger and perform within the agent environment. - [EXTERNAL_DOWNLOADS]: The evaluation viewer (
eval-viewer/viewer.html) references the SheetJS library from a well-known CDN (cdn.sheetjs.com). This external dependency is used to provide browser-based rendering of spreadsheet files generated during test runs. - [DATA_EXFILTRATION]: To optimize skill descriptions,
scripts/improve_description.pysends the skill's content and test results to the Anthropic API. This is the intended behavior for the description-improvement loop and uses standard API client patterns. - [PROMPT_INJECTION]: The instructions in
SKILL.mdencourage the creation of 'pushy' descriptions to ensure skills trigger reliably. This is a behavioral engineering technique for skill discovery and does not involve bypassing safety guidelines or overriding system prompts.
Audit Metadata