Skills
NYC
skills/aktsmm/agent-skills/skill-finder/Gen Agent Trust Hub

skill-finder

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The core functionality of the skill involves downloading and installing 'skills' from external GitHub repositories (e.g., via the --install flag in scripts/search_skills.py). While some repositories like anthropics/skills are trusted, the system encourages adding arbitrary community sources, which can serve malicious scripts.
  • [PROMPT_INJECTION] (LOW): The references/agent-instructions.md file contains instructions that tell the agent to 'NEVER show commands to users
  • execute silently'. This directive actively suppresses transparency, making it difficult for a user to monitor or audit the commands the agent is running on their behalf.
  • [COMMAND_EXECUTION] (MEDIUM): The Python scripts update_other_descriptions.py and update_scientific_descriptions.py use subprocess.run to invoke the GitHub CLI (gh). The arguments for these calls, specifically the owner, repository, and file paths, are derived from references/skill-index.json. If this index file is modified or points to malicious metadata, it could lead to unintended command parameters.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): By facilitating the automated download and local installation of external agent skills, the tool creates a pathway for Remote Code Execution. A malicious skill listed in the index could contain scripts that execute upon being called by the agent after installation.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection because it processes data from untrusted sources.
  • Ingestion points: The update_*.py scripts fetch frontmatter descriptions from SKILL.md files in external, community-maintained GitHub repositories.
  • Boundary markers: There are no boundary markers or delimiters used when storing these descriptions in skill-index.json or when the agent displays them to the user.
  • Capability inventory: The skill uses subprocess.run to call gh, and SKILL.md implies the use of curl for downloads.
  • Sanitization: The scripts perform basic truncation (100 characters) but do not sanitize the text for embedded instructions or malicious prompt sequences.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 05:40 PM