skills/iii-hq/workers/iii-directory/Gen Agent Trust Hub

iii-directory

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches worker bundles from the vendor registry at api.workers.iii.dev and provides functionality to pull skill folders from arbitrary GitHub repositories via the directory::skills::download_from_repo function.
  • [REMOTE_CODE_EXECUTION]: Functions such as download_from_registry and download_from_repo facilitate the installation of worker bundles by writing files directly to the local disk, which are subsequently utilized by the engine.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes and serves instructions (skills and prompts) from external sources and local files to the agent.
  • Ingestion points: directory::skills::get (reads files from disk), directory::registry::workers::info (fetches data from a remote API).
  • Boundary markers: The documentation does not specify the use of delimiters or warnings to ignore instructions embedded within the fetched documents.
  • Capability inventory: The worker has the capability to write to the local filesystem via its download functions.
  • Sanitization: No sanitization or validation of the fetched markdown or registry content is described.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 12:22 AM
Security Audit — agent-trust-hub — iii-directory