awesome-skills-deepdive
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill systematically fetches skill source code, metadata, and security verdicts from GitHub's API, raw content domains, and the ClawSkills platform to perform its auditing and summarization tasks.
- [COMMAND_EXECUTION]: Employs standard developer utilities including Git and the GitHub CLI (gh) to manage repository lifecycles, including forking, cloning, and pushing updates.
- [PROMPT_INJECTION]: The file references/security-checklist.md includes example injection strings like "Ignore all previous instructions" and "unrestricted mode" as reference data for auditing other skills. Additionally, the process of fetching and summarizing thousands of untrusted community skill descriptions presents a surface for indirect prompt injection, although the subagent instructions prioritize objective summarization.
- [SAFE]: No evidence of malicious behavior such as credential harvesting or sensitive data exfiltration was found. The skill utilizes Python's standard library for its automation scripts and manages GitHub tokens via environment variables in accordance with security best practices.
Audit Metadata