skill-map
Warn
Audited by Gen Agent Trust Hub on Jul 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The workflow in
SKILL.mdexecutes the helper script using the patternuv run scripts/skill-map.py "$ARGUMENTS". This interpolation of user-supplied arguments into a shell command string is susceptible to shell injection attacks. If the platform does not properly tokenize or sanitize the$ARGUMENTSvariable, an attacker could potentially execute arbitrary shell commands by injecting metacharacters like;,&&, or|. - [PROMPT_INJECTION]: The skill implements a feature to display line snippets from discovered files (
--include-snippets), which creates a Category 8 Indirect Prompt Injection surface. - Ingestion points: Arbitrary local files scanned by
scripts/skill-map.pyusingripgrepacross the user's home directory. - Boundary markers: The script's text and JSON output formats do not consistently wrap content in secure delimiters or include instructions for the agent to ignore instructions found within the scanned data.
- Capability inventory: The agent utilizing this skill has read access to the local filesystem and the ability to execute shell commands via the skill's own scripts.
- Sanitization: The script performs minimal processing of file content (Unicode replacement) and does not escape or sanitize the snippets to prevent malicious instructions from influencing the agent's behavior.
- [COMMAND_EXECUTION]: The
scripts/skill-map.pyscript executes theripgrep(rg) binary viasubprocess.run(). While it uses an argument list to reduce injection risk into the binary call itself, the search patterns are dynamically constructed from data parsed from otherSKILL.mdfiles on the machine. This could be exploited if an attacker places a crafted skill file with a name or content that manipulates the external binary's behavior.
Audit Metadata