create-x-content
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is a template-driven instructional guide for the AI agent. It does not contain any executable scripts, binaries, or command-line operations that present a security risk. All operations are limited to reading local configuration and writing drafted content to the local filesystem.\n- [PROMPT_INJECTION]: The skill processes user-supplied text via the
--briefparameter, creating an attack surface for indirect prompt injection where a malicious brief could attempt to manipulate the drafting logic.\n - Ingestion points: The
--briefflag in SKILL.md and interactive user input.\n - Boundary markers: Absent; the instructions interpolate the user brief directly into the prompt without delimiters or warnings to ignore embedded commands.\n
- Capability inventory: The skill has read access to the local
~/.goose-skills/directory for configuration and voice guides, and write access to the./content/directory for outputting files.\n - Sanitization: None; the agent is instructed to use the brief's specifics verbatim, including names and numbers.
Audit Metadata