skill-curator
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill establishes an automated pipeline for indirect prompt injection by promoting untrusted drafts to active instructions based on usage metrics.
- Ingestion points: Reads markdown and YAML drafts from the
~/.claude/skills-drafts/directory. - Boundary markers: No delimiters or safety instructions are defined to separate the curator's logic from the content of the drafts being reviewed.
- Capability inventory: The skill has the authority to move files into the active
~/.claude/skills/directory and perform git operations. - Sanitization: There is no evidence of content validation or sanitization before a draft is 'promoted' (enabled) for future sessions.
- [COMMAND_EXECUTION]: The integration with git for history and rollback ('Rollback via git') implies the execution of shell commands to manage the versioning of the local skills repository.
- [DATA_EXFILTRATION]: The skill performs extensive file system operations (read, write, move) within the
~/.claude/directory, which contains sensitive agent configuration and historical data. - [PROMPT_INJECTION]: The instructions explicitly discourage manual review ('Zero manual review required', 'runs silently'), which reduces the user's ability to oversee or intercept changes to the agent's instruction set.
Audit Metadata