skills/zrosenbauer/skills/skill-eval/Gen Agent Trust Hub

skill-eval

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions specify the assembly of shell commands for grading and benchmarking, such as node packages/skill-tools/dist/index.mjs eval <skill-name> <eval.id>. Because <skill-name> and <eval.id> are derived from directory names and external JSON files, they represent a command injection surface if they contain shell metacharacters (e.g., ;, &&, |) and are not properly sanitized before execution.
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8).
  • Ingestion points: The prompt field from evals.json files and the body of SKILL.md files within the skills/ or .agents/skills/ directories are interpolated into system prompts for subagents.
  • Boundary markers: The skill uses basic markdown formatting but lacks explicit instructions to the subagent to ignore embedded instructions or control tokens within the evaluation prompts.
  • Capability inventory: The skill utilizes the Agent tool with subagent_type: general-purpose and executes local shell commands via a node CLI, providing a significant capability surface for a hijacked subagent to exploit.
  • Sanitization: There is no evidence of sanitization, escaping, or validation of the eval.prompt content before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 08:27 PM
Security Audit — agent-trust-hub — skill-eval