add-skill
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill leverages local shell commands including
mkdir,cp,ls,grep, anddiff. These are primarily used for directory management and synchronizing skill definitions between platform-specific folders (.claude/,.cursor/, and.codex/). - [PROMPT_INJECTION]: A core component of the skill involves updating JavaScript files (
.claude/hooks/skill-forced-eval.jsand.cursor/hooks/cursor-skill-eval.js) to register new triggers. It instructs the AI to insert user-defined strings into these files, which could lead to code or instruction injection if the input contains malicious payloads designed to escape the JavaScript string or array context. - [INDIRECT_PROMPT_INJECTION]:
- Ingestion points: User-provided inputs (skill names, descriptions, and trigger words) are ingested to generate new documentation and configuration files.
- Boundary markers: The instructions lack specific boundary markers or 'ignore' directives to prevent the AI from obeying malicious instructions embedded within the user-provided data for the new skill.
- Capability inventory: The skill has the capability to write to the local filesystem and execute shell commands to modify the agent's own configuration and execution hooks.
- Sanitization: There is no evidence of sanitization or validation logic to ensure that generated skill names (kebab-case) or trigger words do not contain control characters or malicious instructions.
Audit Metadata