learn
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill deployment process requires running 'npx skiller@latest apply', which downloads and executes code from the NPM registry. This package is not associated with a trusted organization or the vendor 'udecode', presenting a risk of untrusted code execution.
- [EXTERNAL_DOWNLOADS]: The skill performs 'WebSearch' and 'WebFetch' operations to retrieve data from arbitrary external websites during its research phase.
- [COMMAND_EXECUTION]: The skill invokes shell commands such as 'npx' and 'npm' to install dependencies (like the well-known 'madge' package) and deploy rule configurations.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it codifies unvetted external information and session history into executable agent rules (.mdc).
- Ingestion points: External content from web searches and session history is read into the agent's context.
- Boundary markers: There are no explicit instructions or delimiters used to ensure the agent ignores instructions embedded within the research data.
- Capability inventory: The skill has permissions to 'Write' to the agent's rule directory and 'Apply' those rules via the 'Skill' tool.
- Sanitization: The skill does not perform any validation or sanitization of the fetched external content before it is used to generate new agent rules.
Audit Metadata