heal-skill
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses restricted Bash commands (
lsandgit) to scan directories and potentially commit changes. While restricted, these provide visibility into the file system structure within the skills directory. - [PROMPT_INJECTION]: The core purpose of the skill is to rewrite agent instructions. If an attacker can influence the conversation context or the arguments passed to this skill, they could potentially trick the agent into 'healing' a skill with malicious instructions, leading to persistent prompt injection.
- [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: Reads existing
SKILL.mdfiles and analyzes the 'conversation context' and 'invocation messages' to determine fixes (SKILL.md). - Boundary markers: No explicit boundary markers are used to separate untrusted conversation data from the reasoning logic.
- Capability inventory: Possesses the
Edittool which allows writing to any file within the./skills/path (SKILL.md). - Sanitization: The skill implements a human-in-the-loop mitigation by requiring explicit user approval (Step 5) before any edits are applied to files.
Audit Metadata