curator
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill implements an autonomous learning pipeline that clones external repositories and extracts patterns to populate procedural memory (
.claude/rules/learned/). This creates a surface for indirect prompt injection, where an attacker could embed malicious instructions in a public repository to influence the agent's future behavior.\n - Ingestion points: Untrusted data from external GitHub repositories enters the agent context via
curator-ingest.shandcurator-learn.sh.\n - Boundary markers: No explicit delimiters or boundary markers are described to isolate or ignore embedded instructions within the processed repository content.\n
- Capability inventory: The skill uses
Bash,Write,Read,WebSearch, andWebFetchto download repository data and modify local rule files.\n - Sanitization: There is no mention of sanitization, validation, or filtering of the content extracted from external repositories before it is interpolated into the agent's memory system.\n- [COMMAND_EXECUTION]: The skill relies on executing multiple orchestration scripts (
curator-discovery.sh,curator-scoring.sh,curator-rank.sh,curator-ingest.sh,curator-approve.sh,curator-learn.sh) to manage the repository processing pipeline.\n- [EXTERNAL_DOWNLOADS]: The skill fetches repository metadata and clones source code from GitHub to facilitate its learning and discovery functions.
Audit Metadata