skill-creator
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
subprocessmodule to execute bundled scripts (e.g.,run_loop.py,package_skill.py) and theclaudeCLI. These operations are core to the skill's functionality for creating, benchmarking, and packaging other skills and are executed without elevated privileges. - [EXTERNAL_DOWNLOADS]: The evaluation viewer components load the SheetJS library from a well-known public CDN (
cdn.sheetjs.com). This is used to provide spreadsheet rendering capabilities for the user to review evaluation results. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it ingests user-controlled test queries and feedback, which are then used as context for Claude to improve skill descriptions.
- Ingestion points: Test queries from
eval_set.jsonand user feedback fromfeedback.jsonenter the agent context. - Boundary markers: Prompt templates use XML-style tags like
<scores_summary>and<skill_content>to separate untrusted data from instructions. - Capability inventory: The skill can write files and execute shell commands via the Claude CLI.
- Sanitization: While untrusted content is wrapped in delimiters, the skill does not explicitly escape or sanitize the content to prevent potential delimiter breakouts.
- [SAFE]: The code is well-structured and uses safe practices, such as
yaml.safe_load()for parsing configuration files and providing human-in-the-loop review steps before finalizing skill modifications.
Audit Metadata