bggg-skill-taotie
Warn
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it is designed to ingest and process instructions from external, untrusted skill repositories. (1) Ingestion points: Phase 1 reads all files (SKILL.md, scripts, and references) from target and reference skills. (2) Boundary markers: The skill does not implement programmatic delimiters or boundary markers for the processed content. (3) Capability inventory: The skill has access to high-privilege tools including Read, Write, Edit, Bash, and Agent (sub-agent execution). (4) Sanitization: It relies on high-level natural language instructions advising the agent to 'check for suspicious instructions,' which can be bypassed by sophisticated adversarial content.
- [COMMAND_EXECUTION]: During Phase 2 (Comparison), the skill utilizes the Agent tool to run tasks defined by the instructions found in the external reference skills. This execution of instructions from untrusted sources can lead to the execution of unauthorized bash commands or malicious tool calls.
- [COMMAND_EXECUTION]: Phase 4 (Injection) involves the automated modification of a target skill's source files based on patterns extracted from a reference skill. This dynamic code modification process lacks strict validation and could facilitate the propagation of malicious code or backdoors from one skill to another.
Audit Metadata