skillify
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting data from the current conversation history to generate a new SKILL.md instruction file.
- Ingestion points: The current session conversation history and user interview responses are used to populate the goal, steps, and success criteria of the new skill.
- Boundary markers: The generated SKILL.md template does not include boundary markers or instructions to ignore potentially malicious content embedded in the session data.
- Capability inventory: The skill uses Read, Write, and Edit tools to create the new skill files and can assign various tool permissions to the generated skill.
- Sanitization: The skill lacks explicit sanitization or escaping of session data before it is written into the new instruction file.
- [COMMAND_EXECUTION]: The skill utilizes Bash(mkdir:*) to create directory structures for new skills. While restricted to directory creation, it facilitates the persistent storage of generated instructions in the file system.
- [DATA_EXFILTRATION]: The skill writes files to the user's home directory (~/.claude/skills/) for 'personal' skills. This involves file system operations in a sensitive area outside the immediate project repository, which could be used to store or modify persistent agent configurations.
Audit Metadata