update-skill

Warn

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill is vulnerable to potential shell command injection by interpolating the user-supplied [skill-name] argument directly into shell command templates, such as git log -1 --format=%cs -- skills/<name>/ and ls ${CLAUDE_PROJECT_DIR}/skills/$ARGUMENTS/. An attacker providing crafted input containing shell metacharacters could execute unauthorized commands in the agent's environment.
  • [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by fetching and processing untrusted data from external sources (GitHub and documentation sites) to propose and apply file edits.
  • Ingestion points: Data is ingested via mcp__surf__surf_github_get, mcp__surf__surf_github_search, and WebFetch in Phase 2.
  • Boundary markers: The instructions do not specify any delimiters or safety markers to isolate external findings from the agent's internal logic.
  • Capability inventory: The agent possesses extensive capabilities, including Edit, Write, git commit, and git push, allowing full modification of the repository.
  • Sanitization: There is no evidence of content sanitization or validation of external data before it is translated into file system operations.
  • [EXTERNAL_DOWNLOADS]: The skill performs runtime network operations to retrieve documentation and GitHub repository data. While these target official platforms, the specific URLs are determined dynamically at runtime based on the skill being updated, introducing a risk if the source content is compromised.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 15, 2026, 01:39 AM
Security Audit — agent-trust-hub — update-skill