Skills
skills/yikuaibanzi/forge-skill/use-persona/Gen Agent Trust Hub

use-persona

Warn

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Python script tools/persona_runtime_loader.py to process persona data and generate a context card. While this appears to be a core functional component provided by the author, executing scripts at runtime based on user-triggered actions increases the capability surface of the agent.
  • [COMMAND_EXECUTION]: Dynamic file path construction. The skill reads from personas/others/{name}/persona.json where {name} is derived directly from user input (e.g., /use-persona [name]). This pattern is vulnerable to path traversal attacks; a malicious user could provide a name like ../../secrets to attempt to access files outside the intended personas directory.
  • [PROMPT_INJECTION]: Indirect Prompt Injection surface. The skill is designed to ingest and strictly adhere to instructions, values, and interaction patterns defined in external files (persona.json and persona.md). If these files are compromised or if a user can redirect the agent to a malicious file via path traversal, the agent's core behavior and safety boundaries could be overridden.
  • Ingestion points: personas/others/{name}/persona.json and persona.md (SKILL.md).
  • Boundary markers: Absent. The skill does not include instructions to treat the loaded persona data as untrusted or to ignore embedded instructions that conflict with system safety guidelines.
  • Capability inventory: The skill uses Read, Glob, and AskUserQuestion tools, and executes the persona_runtime_loader.py script.
  • Sanitization: Absent. There is no evidence of input validation or sanitization for the {name} parameter or the content of the loaded files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 7, 2026, 07:46 AM