money-skillify
Warn
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to perform filesystem operations, including directory creation (
mkdir -p) and file writing (SKILL.md) to the user's home directory (~/.smtm/projects/). - Evidence: Step 4 ('Write to disk') explicitly instructs the agent to create paths and write files.
- [PROMPT_INJECTION]: The skill is a primary vector for indirect prompt injection. It ingests untrusted data (the conversation history) and transforms it into permanent instructions that the agent will follow in future sessions.
- Evidence: The distilled 'Steps' and 'Trigger' sections of the generated SKILL.md are derived directly from conversation content.
- [DATA_EXFILTRATION]: While intended for workflow capture, the process of 'distilling' steps from a conversation history creates a risk of capturing sensitive data (PII, credentials, internal URLs) into a permanent file on disk.
- Evidence: The 'Edge cases' section acknowledges the presence of sensitive data and suggests sanitization, but relies on the model's ability to identify and strip it correctly.
- [PERSISTENCE_MECHANISM]: This skill provides a method for persistent instruction poisoning. A malicious instruction set hidden in a conversation can be 'codified' into a skill that is then automatically surfaced and encouraged in every future session in that project directory.
- Evidence: The 'Auto-loading project-local skills' section ensures that codified skills are automatically identified and surfaced to the user at the start of new sessions.
Audit Metadata