update-skill
Warn
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to potential shell command injection by interpolating the user-supplied
[skill-name]argument directly into shell command templates, such asgit log -1 --format=%cs -- skills/<name>/andls ${CLAUDE_PROJECT_DIR}/skills/$ARGUMENTS/. An attacker providing crafted input containing shell metacharacters could execute unauthorized commands in the agent's environment. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by fetching and processing untrusted data from external sources (GitHub and documentation sites) to propose and apply file edits.
- Ingestion points: Data is ingested via
mcp__surf__surf_github_get,mcp__surf__surf_github_search, andWebFetchin Phase 2. - Boundary markers: The instructions do not specify any delimiters or safety markers to isolate external findings from the agent's internal logic.
- Capability inventory: The agent possesses extensive capabilities, including
Edit,Write,git commit, andgit push, allowing full modification of the repository. - Sanitization: There is no evidence of content sanitization or validation of external data before it is translated into file system operations.
- [EXTERNAL_DOWNLOADS]: The skill performs runtime network operations to retrieve documentation and GitHub repository data. While these target official platforms, the specific URLs are determined dynamically at runtime based on the skill being updated, introducing a risk if the source content is compromised.
Audit Metadata