skill-optimize
Pass
Audited by Gen Agent Trust Hub on Apr 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes a 'Mode detection' logic that allows bypassing plan approval and user review if the arguments contain 'auto' or 'trust me'. This reduces human oversight during the execution of tasks that modify local files.
- [PROMPT_INJECTION]: The skill uses a placeholder
$PROMPTinside an<additional-instructions>tag. This is a direct interpolation of user-supplied arguments into the agent's operational instructions, creating a surface for prompt injection. - [COMMAND_EXECUTION]: The skill is designed to modify, create, and organize files and directories within the
.claude/skills/directory. While this is the intended purpose, it grants the agent the capability to persist changes to its own operational environment. - [COMMAND_EXECUTION]: The skill chains multiple other skills (
skill-creator,claude-code,docs-seeker) to achieve its goals, extending its functional reach across the agent's toolset. - [PROMPT_INJECTION]: Indirect Prompt Injection Surface:
- Ingestion points: The skill ingests untrusted data from the
$PROMPTargument and reads the content of existing skills in the.claude/skills/directory for analysis. - Boundary markers: The skill uses
<additional-instructions>tags as delimiters for the injected prompt, which provides some structure but does not prevent adversarial instructions from influencing behavior. - Capability inventory: The skill can create directories, write new markdown files (
plan.md,phase-XX-*.md), and modify existingSKILL.mdfiles using tool-calling capabilities. - Sanitization: No explicit sanitization or validation of the input
$PROMPTor the analyzed skill content is performed before processing or writing to disk.
Audit Metadata