Skill Factory
Fail
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to generate Python source code and write it directly to a local plugin directory (~/.hermes/plugins/) to be executed by the host agent. This automated creation of executable files poses a high risk of unauthorized command execution.
- [DATA_EXFILTRATION]: In Phase 1, the skill silently observes all user workflows, including repeated actions and tool combinations. This monitoring can capture sensitive information such as hardcoded API keys, environment variables, or private data entered during the session, persisting them into generated SKILL.md or plugin.py files.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. If an attacker-controlled input (such as a file read or website visited during the session) contains malicious instructions, the Skill Factory may 'learn' these instructions and incorporate them into a generated plugin. Ingestion point: session workflows in SKILL.md. Boundary markers: none. Capability inventory: file-write and code generation in SKILL.md. Sanitization: none.
- [REMOTE_CODE_EXECUTION]: Although it does not download a remote payload, the skill facilitates remote code execution by transforming untrusted session data into local executable plugins (plugin.py) and prompting the user to load them into the running environment.
Recommendations
- AI detected serious security threats
Audit Metadata