skill-map

Warn

Audited by Gen Agent Trust Hub on Jul 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The workflow in SKILL.md executes the helper script using the pattern uv run scripts/skill-map.py "$ARGUMENTS". This interpolation of user-supplied arguments into a shell command string is susceptible to shell injection attacks. If the platform does not properly tokenize or sanitize the $ARGUMENTS variable, an attacker could potentially execute arbitrary shell commands by injecting metacharacters like ;, &&, or |.
  • [PROMPT_INJECTION]: The skill implements a feature to display line snippets from discovered files (--include-snippets), which creates a Category 8 Indirect Prompt Injection surface.
  • Ingestion points: Arbitrary local files scanned by scripts/skill-map.py using ripgrep across the user's home directory.
  • Boundary markers: The script's text and JSON output formats do not consistently wrap content in secure delimiters or include instructions for the agent to ignore instructions found within the scanned data.
  • Capability inventory: The agent utilizing this skill has read access to the local filesystem and the ability to execute shell commands via the skill's own scripts.
  • Sanitization: The script performs minimal processing of file content (Unicode replacement) and does not escape or sanitize the snippets to prevent malicious instructions from influencing the agent's behavior.
  • [COMMAND_EXECUTION]: The scripts/skill-map.py script executes the ripgrep (rg) binary via subprocess.run(). While it uses an argument list to reduce injection risk into the binary call itself, the search patterns are dynamically constructed from data parsed from other SKILL.md files on the machine. This could be exploited if an attacker places a crafted skill file with a name or content that manipulates the external binary's behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 5, 2026, 05:05 PM
Security Audit — agent-trust-hub — skill-map