skill-contributor
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill processes untrusted content from user-provided skill directories, which creates a surface for indirect prompt injection.
- Ingestion points: The agent reads
SKILL.mdand other files from a user-specified path to validate them and extract metadata for PR descriptions. - Boundary markers: Absent. There are no explicit instructions for the agent to treat the content of the skill files as untrusted data or to ignore embedded instructions.
- Capability inventory: The skill can execute shell commands (
git,python3,cp,gh), modify local files (README.md), and perform network operations (git push,gh pr create). - Sanitization: The skill performs format validation (e.g., checking naming conventions) via a Python script but does not sanitize the textual content of descriptions before interpolating them into git commit messages or PR bodies.
- [Command Execution] (SAFE): The skill executes several shell commands to manage the contribution workflow.
- Evidence: Usage of
git,cp,gh, andpython3to run a local validation script. - Context: These operations are central to the skill's primary purpose. The execution of the validation script (
skills/skill-builder/scripts/validate-skill.py) is performed on a local path within the expected repository, which is a standard development practice.
Audit Metadata