skills/nomadamas/k-skill/naming-house/Gen Agent Trust Hub

naming-house

Pass

Audited by Gen Agent Trust Hub on Jul 1, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the naming-house package from the npm registry. It also references other packages including saju-fortune, namefyi, and korean-stroke for auxiliary calculations.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands to perform global package installations (npm install -g) and to execute Node.js logic using heredocs (`node
  • <<'JS'`).
  • [INDIRECT_PROMPT_INJECTION]: The workflow creates a surface for indirect prompt injection by interpolating untrusted user inputs—such as surnames, birth dates, and name candidates—directly into dynamically generated JavaScript templates executed via the shell.
  • Ingestion points: User-provided inputs for surname, surnameHanja, birthDate, birthTime, and the candidates array are processed in SKILL.md.
  • Boundary markers: No specific delimiters or "ignore embedded instructions" warnings are utilized when interpolating these values into the script templates.
  • Capability inventory: The skill possesses the capability to execute shell commands (npm, node) as described in the workflow sections of SKILL.md.
  • Sanitization: The instructions do not specify any escaping or validation mechanisms for the user-supplied strings before they are placed into the executable script blocks.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 1, 2026, 07:38 AM
Security Audit — agent-trust-hub — naming-house