skill-eval
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions specify the assembly of shell commands for grading and benchmarking, such as
node packages/skill-tools/dist/index.mjs eval <skill-name> <eval.id>. Because<skill-name>and<eval.id>are derived from directory names and external JSON files, they represent a command injection surface if they contain shell metacharacters (e.g.,;,&&,|) and are not properly sanitized before execution. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The
promptfield fromevals.jsonfiles and the body ofSKILL.mdfiles within theskills/or.agents/skills/directories are interpolated into system prompts for subagents. - Boundary markers: The skill uses basic markdown formatting but lacks explicit instructions to the subagent to ignore embedded instructions or control tokens within the evaluation prompts.
- Capability inventory: The skill utilizes the
Agenttool withsubagent_type: general-purposeand executes local shell commands via anodeCLI, providing a significant capability surface for a hijacked subagent to exploit. - Sanitization: There is no evidence of sanitization, escaping, or validation of the
eval.promptcontent before it is processed by the agent.
Audit Metadata