learn
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It is designed to extract 'reusable knowledge' from session history and write it into persistent instruction files (.mdc). An attacker who can influence the session history could lead the agent to save malicious instructions that will be treated as authoritative system guidelines in future sessions.
- Ingestion points: Conversation history and user-provided session data (SKILL.md).
- Boundary markers: The extraction process lacks explicit delimiters or instructions to ignore embedded commands within the analyzed session data.
- Capability inventory: The skill uses 'Write' and 'Edit' tools to create permanent rule files in
.claude/rules/and.claude/skills/, which directly influence the agent's behavior. - Sanitization: There is no evidence of sanitization or safety checks performed on the extracted content before it is codified into a skill file.
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute remote code using
npx skiller@latest apply. This command downloads and executes the latest version of the 'skiller' package from the npm registry. While this appears to be a tool associated with the skill's author (udecode), it represents a remote execution pattern that bypasses local version pinning. - [COMMAND_EXECUTION]: The skill contains instructions to execute various shell commands for dependency management and environment setup, such as
npm install -g madgeandps aux | grep next. These commands are used for legitimate project analysis but contribute to the skill's broad capability set.
Audit Metadata