skill-composer
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill architecture prioritizes user oversight and validation, requiring manual confirmation of execution plans before any tools are invoked. The orchestration logic is implemented via separate scripts that perform structural analysis and validation of the skill chain. \n- [COMMAND_EXECUTION]: The skill utilizes the Bash tool for legitimate administrative tasks, such as scanning the local filesystem to discover available skills and their associated SKILL.md files. \n- [PROMPT_INJECTION]: The skill processes untrusted user-provided task descriptions to determine which skills to select for a workflow, creating an Indirect Prompt Injection surface. \n
- Ingestion points: Task descriptions are passed as command-line arguments to the DAG builder script (scripts/build_dag.py). \n
- Boundary markers: The skill does not employ specific delimiters to isolate the user task from the orchestration logic. \n
- Capability inventory: The skill manages high-capability tools including Bash, Edit, Write, and Task invocation. \n
- Sanitization: Input is used for keyword-based selection without complex sanitization. \n
- Mitigation: The risk of malicious tasks influencing skill selection is mitigated by the mandatory human-in-the-loop review of the generated execution plan before any actions are performed.
Audit Metadata