skill-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill implements a workflow where it fetches remote repository data and instructs the agent to 'Refactor' local files (
SKILL.mdandwrapper.py) based on that untrusted content. - Ingestion points:
scripts/scan_and_check.pyextractsgithub_urlfrom other skills; the agent subsequently fetches remote README files. - Boundary markers: None. The instructions in
SKILL.mddo not provide delimiters or warnings to ignore instructions found within the fetched remote content. - Capability inventory: The agent is granted the capability to overwrite local skill files and execute deletion commands via
scripts/delete_skill.py. - Sanitization: None. The agent is encouraged to adopt 'new features' and 'usage changes' directly from the remote source into local code.
- Command Execution & File System Safety (MEDIUM): The
scripts/delete_skill.pyscript performs recursive directory deletion without sanitizing the inputskill_name. - Evidence:
skill_dir = os.path.join(skills_root, skill_name)followed byshutil.rmtree(skill_dir). An attacker providing a path like../../as a skill name could trigger deletion of sensitive directories outside the intended skills folder. - Metadata Poisoning (LOW): The skill relies on metadata (
github_url,github_hash) stored in otherSKILL.mdfiles. If these are modified by a malicious process, the manager will target attacker-controlled infrastructure for its 'Update' workflow. - Privacy (INFO): Scripts like
scripts/list_skills.pyandscripts/delete_skill.pycontain hardcoded local Windows paths (e.g.,C:\Users\20515\...), which leaks information about the developer's environment.
Recommendations
- AI detected serious security threats
Audit Metadata