darwin-skill
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/screenshot.mjsutilizeschild_process.execSyncto run the systemopencommand. It incorporates the output path directly fromprocess.argv[3]without sanitization, which could allow for command injection if malicious input is provided. - [COMMAND_EXECUTION]: The
scripts/screenshot.mjsfile uses a hardcoded absolute file path (/Users/alchain/...) to load theplaywright-coredependency, which is a non-standard and risky implementation that relies on the author's local environment. - [EXTERNAL_DOWNLOADS]: The documentation references a ZIP archive of the skill hosted on a Cloudflare R2 bucket (
pub-161ae4b5ed0644c4a43b5c6412287e03.r2.dev). - [PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection because it reads and evaluates the content of other agent skills to measure their effectiveness.
- Ingestion points: Processes all skill files located in
.claude/skills/*/SKILL.mdduring evaluation and optimization phases. - Boundary markers: No explicit boundary markers or instructions are used to isolate the evaluated skill content from the agent's control logic.
- Capability inventory: The skill can perform file modifications, execute git version control commands, and run shell scripts.
- Sanitization: The skill lacks sanitization mechanisms for the external skill content it evaluates, potentially allowing a malicious skill to influence the agent's behavior during performance testing.
Recommendations
- AI detected serious security threats
Audit Metadata