skill-discovery
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill ingests untrusted repository metadata from GitHub, which represents an indirect prompt injection surface.
- Ingestion points:
discover.jsandevaluate.jsfetch repository names, descriptions, and README content via the GitHub API. - Boundary markers: No specific delimiters or safety instructions are used to isolate untrusted external content from the agent's core logic.
- Capability inventory: The skill includes the ability to generate manifest files (
SKILL.md) and integration scripts (integrate.sh) based on this untrusted data. - Sanitization: Basic keyword filtering (e.g., 'malware', 'exploit') and name sanitization are implemented, but these do not prevent malicious natural language instructions in descriptions from influencing the agent's evaluation scoring.
- [COMMAND_EXECUTION]: The
generate.jsscript dynamically creates a shell script (integrate.sh) that performs filesystem operations such asmkdirandln -susing parameters derived from external repository metadata. While the skill name is sanitized to prevent direct path traversal, this automated generation of activation scripts facilitates the integration and execution of unvetted third-party code.
Audit Metadata