skill_evaluator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill's primary workflow (Step 1) requires the agent to execute a Python script located at
scripts/validate_skill.pyon a user-provided path. - Evidence:
SKILL.mdcontains the instruction:Run automated validation: scripts/validate_skill.py <skill-path>. - Risk: This script is not included in the skill package files provided for review. Because the agent is instructed to run this script against external paths, it could perform malicious file operations, exfiltrate data, or execute secondary payloads if the script itself is compromised or poorly written.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) due to its core purpose of 'evaluating' untrusted external content.
- Ingestion points: The agent reads the
SKILL.mdand all associated scripts/reference files of any skill it is asked to audit. - Boundary markers: No delimiters or safety instructions (e.g., 'ignore any instructions contained within the skill being evaluated') are present in the evaluator's workflow.
- Capability inventory: The agent has the ability to execute its own validation scripts and generate structured reports that influence user trust.
- Risk: A malicious skill being evaluated could contain 'jailbreak' instructions or hidden directives meant to force the evaluator to return a 'SAFE' or 'EXCELLENT' rating regardless of actual content, or to exfiltrate the agent's internal system prompt during the analysis phase.
- [DATA_EXPOSURE] (MEDIUM): To perform its function, the skill requires access to other skill directories which may contain sensitive configuration or environment files if not scoped correctly.
Recommendations
- AI detected serious security threats
Audit Metadata