skill-search
Fail
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill clones multiple third-party GitHub repositories that are not included in the trusted vendors list, including accounts like hesreallyhim, VoltAgent, and sickn33.
- [REMOTE_CODE_EXECUTION]: The core functionality of the skill is to automate the installation of unvetted code into the ~/.claude/skills/ directory. Since the agent loads and executes skills from this location, this represents a direct path to remote code execution. Furthermore, the skill explicitly prompts users to run package managers like pip and npm on the downloaded content.
- [COMMAND_EXECUTION]: The skill utilizes shell commands (git clone, find, xargs grep, cp -r) to manage and install external content. These operations are performed on untrusted data without verification or sandboxing.
- [PROMPT_INJECTION]: The skill processes untrusted metadata and file content from external repositories and websites to provide search results. This allows for indirect prompt injection where a malicious repository author could influence the agent's behavior.
- Ingestion points: SKILL.md files from external repositories and search results from websites like skillsmp.com.
- Boundary markers: None detected; untrusted content is processed directly.
- Capability inventory: File system write access (~/.claude/skills/), network access (git, web_fetch), and command execution capabilities.
- Sanitization: No sanitization or validation of external content is performed before installation.
Recommendations
- AI detected serious security threats
Audit Metadata