skill-share
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill ingests untrusted user input (skill name and description) and propagates it to both the local filesystem and Slack channels.
- Ingestion points: User-provided skill name and description during initialization.
- Boundary markers: None identified; user content is interpolated directly into templates and messages.
- Capability inventory: Filesystem write access (directory and file creation), network access via Rube Slack tools.
- Sanitization: No evidence of escaping or validation of user-provided strings before processing.
- Data Exfiltration (LOW): The Slack integration (SLACK_SEND_MESSAGE, SLACK_POST_MESSAGE_WITH_BLOCKS) provides a mechanism to transmit local metadata and file links to an external service. While intended for discovery, this can be used to exfiltrate environment details if the tool is manipulated to point at sensitive paths.
- Command Execution (MEDIUM): The skill generates executable scripts in the
scripts/directory. If the 'Validation' or 'Packaging' steps execute these scripts or use unsafe shell commands to create the ZIP archive, it could lead to arbitrary code execution.
Audit Metadata