Skills
skills/hkuds/openspace/skill-discovery/Gen Agent Trust Hub

skill-discovery

Fail

Audited by Gen Agent Trust Hub on Mar 30, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The search_skills tool includes an auto_import parameter that is enabled by default (true). This causes the agent to automatically download content from an external "cloud community" to the local filesystem during any skill search operation.
  • [REMOTE_CODE_EXECUTION]: The skill documentation explicitly instructs the agent to "read SKILL.md at local_path, follow the instructions" for any content downloaded from the cloud registry. This allows a remote third party to provide arbitrary instructions that the agent will execute as its own logic.
  • [PROMPT_INJECTION]: The skill architecture creates a high-risk surface for indirect prompt injection by processing and obeying instructions from untrusted external data.
  • Ingestion points: The search_skills tool retrieves SKILL.md files from a cloud-based registry to a local_path.
  • Boundary markers: There are no boundary markers or instructions provided to the agent to treat the external content as untrusted or to ignore embedded instructions.
  • Capability inventory: The agent is granted full capability to "follow the instructions" in the downloaded file, which can involve any tools or system commands the agent is authorized to use.
  • Sanitization: No sanitization, validation, or human-in-the-loop verification steps are described before the agent executes the remote instructions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 30, 2026, 06:42 AM
Security Audit — agent-trust-hub — skill-discovery