skill-creator
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The SKILL.md file (Step 1, Item 3) and assets/SKILL.template.md (Step 2, Item 3) contain instructions to execute shell commands that incorporate unvalidated user input through placeholders.
- Evidence: python scripts/validate-metadata.py --name "[name]" --description "[description]" and python scripts/[script-name].py.
- Risk: If an agent interprets these instructions by directly concatenating user input into a shell string, a malicious user could provide input containing shell metacharacters (e.g., ;, &&, |, backticks) to execute unauthorized commands on the underlying system.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted metadata and script names into sensitive operations without boundary markers or sanitization.
- Ingestion points: User-provided strings for the [name], [description], and [script-name] placeholders in SKILL.md and assets/SKILL.template.md.
- Boundary markers: Absent. The instructions do not define delimiters for user input or warn the agent to ignore instructions embedded within the metadata or script names.
- Capability inventory: The skill uses scripts/validate-metadata.py for command execution and performs file system operations (directory and file creation) based on user input.
- Sanitization: While scripts/validate-metadata.py validates the name format using a regular expression, this validation occurs after the shell has already processed the arguments. No character-level validation or escaping is performed on the description or script-name fields prior to execution.
Audit Metadata