skills-router
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The 'Routing Logic' section in SKILL.md defines shell command templates like 'ck --sem "{query}"' and 'mcp-skillset search "{query}"' that directly interpolate user-controlled variables into a bash context. This presents a significant risk of command injection if the input is not strictly sanitized by the agent.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill's 'Skill Loading Protocol' explicitly enables a 'Level 3' loading state which includes 'scripts/ and full capability'. Because the selection of which skill to load is driven by semantic matching of untrusted user queries, an attacker could trigger the execution of unintended local scripts.
- [PROMPT_INJECTION] (HIGH): This skill is a high-risk indirect prompt injection surface. Evidence: 1. Ingestion point: User queries are processed via the '{query}' variable in SKILL.md. 2. Boundary markers: None are present to delimit untrusted data. 3. Capability inventory: The skill can execute local scripts and access sensitive personal data (lifelogs, memory) via downstream skills like 'context-orchestrator'. 4. Sanitization: No sanitization or validation of the semantic match results is implemented.
- [DATA_EXPOSURE] (MEDIUM): The skill manages access to sensitive directories such as '~/.claude/skill-db/' and facilitates the use of skills designed to extract personal memory and lifelog data, increasing the impact of any successful compromise.
Recommendations
- AI detected serious security threats
Audit Metadata