[Skill Submission] skill-generalizer

[everyskill-bot]

New Skill Submission

Skill: skill-generalizer
Submitted by: Brandon Gell
Reason: Transforms team-built, use-case-specific skills into generalized, onboardable skills that any Plus One bot can adopt. Includes a structured generalization process, onboarding convention with behavior rules (no parroting, re-test after changes, no internal dialogue), review checklist, and example transformations.

---

This PR was auto-generated from skills.every.to (agent-api).

AI security review will run automatically.

[cloudflare-workers-and-pages]

Deploying everyskill with    Cloudflare Pages

Latest commit:	5bbae5d
Status:	✅  Deploy successful!
Preview URL:	https://30298b95.everyskill.pages.dev
Branch Preview URL:	https://skill-skill-generalizer-1774.everyskill.pages.dev

View logs

[github-actions]

Frontier Model Security Review

Agent	Verdict
Claude Opus 4.6	PASS
GPT-5.2	WARN

Final Verdict: WARN

---

Claude Opus 4.6 Analysis

{"verdict": "PASS", "issues": [], "reasoning": "This skill is a meta-skill that transforms team-specific skills into generalized, onboardable ones. It is essentially a template/guide for producing SKILL.md files. Analysis of each concern: 1) Prompt injection: No hidden instructions, no 'ignore previous' directives, no encoded commands. The skill instructs the LLM on how to rewrite skill files following a structured process. All instructions are transparent and directly related to the stated purpose. 2) Dangerous tool usage: The skill does not invoke any tools directly — no Bash commands, no file deletion, no system-level operations. It references rewriting SKILL.md files and creating cron jobs, but these are standard Plus One bot operations within the expected skill framework, not unrestricted shell access. 3) Data exfiltration: No external URLs are contacted. No credentials are read or transmitted. The skill explicitly instructs removing hardcoded API keys, tokens, and credentials from skills during generalization — this is actually a security-positive behavior. 4) Social engineering: No manipulation attempts. The skill is straightforward about its purpose and process. The onboarding behavior rules explicitly say 'never show internal dialogue' and 'do not parrot back,' which are UX guidelines, not manipulation. 5) Overly permissive allowed-tools: No allowed-tools are specified. The skill operates purely as prompt instructions for the LLM to follow when generalizing other skills. The skill is well-structured, follows a clear template pattern, and its security posture is actually positive — it instructs the removal of hardcoded credentials, team-specific identifiers, and sensitive configuration from skills being generalized."}

GPT-5.2 Analysis

{"verdict":"WARN","issues":[{"category":"Prompt-injection / self-modification","severity":"medium","evidence":"Instructions to “Rewrite this SKILL.md file” by removing frontmatter fields and deleting the entire ## Onboarding section; “update this SKILL.md file directly” on user request.","risk":"If an attacker can influence onboarding answers or subsequent “customization” requests, they may induce persistent instruction changes (skill becomes a writable prompt). This is a common persistence vector for prompt injection."},{"category":"Dangerous tool usage / filesystem modification","severity":"medium","evidence":"“Rewrite this SKILL.md file… Remove… Fill in the user's answers directly… Create the cron job…”","risk":"Creates an implicit requirement for file write access and cron creation. Without strict constraints and validation, this can enable arbitrary file edits or job scheduling abuse if mapped to tools with broad permissions."},{"category":"Risky scheduling (cron)","severity":"medium","evidence":"“If a cron job was configured: Create the cron job with the user's chosen schedule.”","risk":"Cron creation is a privileged action; malicious schedules (high frequency) can cause DoS/resource exhaustion. If cron commands are constructed unsafely, may allow command injection."},{"category":"Potential data exfiltration via “test” step","severity":"low","evidence":"“Test the skill: run it once… If the skill fetches content, fetch it now…”","risk":"Encourages network fetching during onboarding. While not specifying tools/endpoints, it can lead to SSRF-like behaviors if later generalized skills accept arbitrary URLs (e.g., RSS). Needs allowlisting/validation guidance."},{"category":"Overly broad operational scope / missing guardrails","severity":"low","evidence":"General engine instructions cover many integrations but do not define safe tool boundaries, input validation, or prohibitions on reading local secrets.","risk":"Not directly malicious, but incomplete security constraints can lead to unsafe implementations when adopted."}],"reasoning":"No obvious hidden/encoded prompt injection strings, social engineering, or explicit exfiltration directives are present. However, the skill explicitly instructs persistent modification of its own SKILL.md and creation/update of cron jobs, which are high-risk operations if the runtime grants write/exec privileges. The onboarding “test” loop and acceptance of arbitrary sources/schedules can be abused without strong validation, rate limits, and strict tool scoping. Recommend adding explicit constraints: limit file edits to the skill’s own directory, disallow modifying security-critical sections, validate/normalize cron expressions with safe frequency caps, require URL allowlisting or safe fetch proxying, and define minimal tool permissions."}

---

Frontier model review complete. Human approval still required.