skill-suggest
Fail
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill facilitates the installation and execution of arbitrary third-party code via the 'npx skills add' command, with the specific payloads determined by responses from the 'skills.sh' API.
- [EXTERNAL_DOWNLOADS]: Downloads and installs software from a remote, non-whitelisted registry. While it uses install counts as a ranking signal, this metadata originates from the same untrusted source and does not guarantee security.
- [COMMAND_EXECUTION]: Programmatically executes shell commands with the '-y' flag to automate the installation of external tools, which prevents the user from reviewing or declining the installation of potentially malicious skills.
- [DATA_EXFILTRATION]: Extracts project technical metadata, including monorepo structure and specific library versions from manifest files (e.g., package.json, Cargo.toml), and transmits this information to an external API (skills.sh).
- [PROMPT_INJECTION]: The skill ingests untrusted data from local manifest files to generate search queries and installation commands without explicit sanitization, creating an attack surface for indirect prompt injection.
- Ingestion points: Project manifest files scanned during tech stack detection (SKILL.md Step 1).
- Boundary markers: No delimiters or warnings are used to isolate untrusted manifest data.
- Capability inventory: Shell execution (npx), network operations, and filesystem read/write.
- Sanitization: No evidence of validation or escaping for extracted dependency names before their use in commands or API requests.
Recommendations
- AI detected serious security threats
Audit Metadata