The Agent Skills Directory

Metadata Poisoning (HIGH): The skill includes a 'skill-report.json' file containing a fabricated security audit with a 'low' risk verdict and 'safe to publish' status. This is a deceptive adversarial pattern specifically designed to influence security analysis and bypass automated safety checks, violating the core requirement for independent verification.
Remote Code Execution / Unverifiable Downloads (HIGH): The skill is designed to download and install executable code ('skills') from remote GitHub repositories. It explicitly allows installation from 'another repo' provided by the user, which acts as a direct vector for introducing and running unvetted, potentially malicious third-party code within the agent's environment.
Credentials Access (MEDIUM): The script 'scripts/github_utils.py' is designed to retrieve and utilize sensitive environment variables ('GITHUB_TOKEN', 'GH_TOKEN'). While intended for legitimate API authentication, its use in conjunction with user-specified repositories increases the risk of credential misuse or exposure.
Privilege Escalation (MEDIUM): Documentation in 'SKILL.md' instructs the agent to 'request escalation' when running scripts. This indicates the skill is intended to run with elevated permissions to modify the system's filesystem and install persistent code.
Indirect Prompt Injection Surface (LOW): The 'scripts/list-curated-skills.py' script fetches directory names from remote repositories and displays them without sanitization. This provides an attack surface where a malicious repository could use deceptive skill names (e.g., instructions disguised as names) to influence agent behavior.
Data Exposure (LOW): The script 'scripts/list-curated-skills.py' scans the user's home directory ('~/.codex/skills') to identify installed components, constituting access to local filesystem structure.

skill-installer