create-soul
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it ingests untrusted external data to generate core behavioral instructions for a new agent skill.
- Ingestion points: Step 2 fetches content from YouTube URLs, blog URLs, and local files (e.g., Twitter archives).
- Boundary markers: Absent. The instructions do not direct the agent to ignore or isolate potential command-like text within the source materials.
- Capability inventory: The skill writes new files (Step 4) and instructs the user to move these files into system-level agent directories (Step 6).
- Sanitization: Absent. The 'distillation' logic (Pass 1 and 3) explicitly extracts 'rules', 'thinking styles', and 'hard boundaries' directly from the raw, untrusted input without validation.
- [EXTERNAL_DOWNLOADS]: The skill references multiple Python scripts (e.g.,
collectors/fetch_url.py,collectors/youtube_transcript.py) designed to fetch content from arbitrary remote URLs provided by the user. - [COMMAND_EXECUTION]: Step 6 provides specific bash commands for the user to execute that move the generated code into persistent configuration directories such as
~/.claude/commands/. If the generation process was compromised via malicious input, this results in the persistence of a malicious tool in the user's environment.
Audit Metadata