skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill is explicitly designed to download content from arbitrary, user-provided GitHub repositories via the
--repoand--urlparameters inscripts/install-skill-from-github.py. While it defaults to trusted sources (openai/skills), the lack of restriction on external sources is a high-risk vector. - REMOTE_CODE_EXECUTION (HIGH): By downloading scripts and placing them in the
$CODEX_HOME/skillsdirectory, the skill enables the execution of unverified remote code. If a malicious skill is installed, it could compromise the entire agent environment. - COMMAND_EXECUTION (MEDIUM): The helper scripts perform file system modifications and network requests. The prompt notes that these scripts require 'escalation' when running in a sandbox, indicating they perform privileged operations.
- CREDENTIALS_UNSAFE (LOW): The skill mentions the use of
GITHUB_TOKENandGH_TOKENfor accessing private repositories. While no tokens are hardcoded, the handling of sensitive credentials by an installation script that interacts with untrusted remote content increases the risk of token exposure. - INDIRECT_PROMPT_INJECTION (LOW):
- Ingestion points: Content and metadata from remote GitHub repositories (SKILL.md, scripts).
- Boundary markers: Absent. There are no mechanisms to delimit or verify the safety of the downloaded instructions.
- Capability inventory: File writing to the local skill path, network communication, and eventual execution of the installed code.
- Sanitization: Absent. The script performs direct downloads and installations without scanning for malicious patterns.
Recommendations
- AI detected serious security threats
Audit Metadata