heal-skill
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a workflow to modify instruction files (SKILL.md) based on observations from conversation history. This introduces a risk of Indirect Prompt Injection, where an attacker could provide malicious "corrections" in the chat to trick the agent into inserting unauthorized instructions into its own skills.
- Ingestion points: Interprets conversation context and existing SKILL.md files to derive code and instruction changes.
- Boundary markers: The skill does not define specific delimiters to separate untrusted data from the instructions used to generate the new SKILL.md content.
- Capability inventory: Uses the 'Edit' tool to overwrite instruction files and 'Bash' to commit changes to a repository.
- Sanitization: Relies on manual human review via the 'AskUserQuestion' tool before any modifications are applied.
- [COMMAND_EXECUTION]: Executes shell commands via Bash to list files (
ls) and manage version control (git). These operations are used for discovering skills and committing the generated fixes to the filesystem.
Audit Metadata