skill-factory
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill is designed to download the 'Skill_Seekers' tool from a third-party GitHub repository ('yusufkaraaslan/Skill_Seekers'). This source is not associated with the skill's author or any verified vendor organizations.
- [REMOTE_CODE_EXECUTION]: The provided installation script ('scripts/install-skill-seekers.sh') performs a 'git clone' of a remote repository followed by a 'pip install' on its requirements file. This process downloads and installs unverified packages that could contain malicious setup scripts. Additionally, the skill executes Python scripts and shell commands found within the downloaded repository.
- [COMMAND_EXECUTION]: The skill uses powerful shell commands including 'rm -rf' for file cleanup and 'git clone'/'git pull' for repository management. It also utilizes 'subprocess.Popen' to run the external scraping logic, which involves executing code derived from a remote source.
- [PROMPT_INJECTION]: The skill contains instructions that promote extreme autonomy, explicitly telling the agent that 'No decision-making required' and 'I'll handle everything.' This encourages the agent to bypass user confirmation for installing and executing newly created skills.
- [PROMPT_INJECTION]: The skill architecture processes untrusted external data (scraped documentation, GitHub repositories, or PDFs) to generate executable agent instructions. This creates a surface for indirect prompt injection where an attacker could place malicious instructions on a documentation site to compromise the generated skill.
Recommendations
- AI detected serious security threats
Audit Metadata