find-skills
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (HIGH): The skill's primary function is to run
npx skills add <package>, which downloads and installs code from remote repositories (GitHub). - Evidence: The documentation explicitly instructs the agent to use the
-yflag (e.g.,npx skills add <owner/repo@skill> -g -y), which is designed to skip confirmation prompts, enabling the silent installation and potential execution of untrusted code. - Command Execution (HIGH): The agent is directed to execute shell commands (
npx skills find [query]) where the[query]is derived directly from user input. - Evidence: This creates a command injection surface if the underlying CLI tool does not perfectly sanitize arguments, or if the agent is tricked into including shell metacharacters in the query.
- Indirect Prompt Injection (LOW): The skill processes output from an external search registry (skills.sh) which contains untrusted third-party data.
- Ingestion points: The results returned by
npx skills find. - Boundary markers: None present in the instructions to help the agent distinguish between tool output and instructions.
- Capability inventory: The agent has the ability to write to the filesystem and install global packages via the
addcommand. - Sanitization: No sanitization or verification of the found skill's metadata is performed before presenting it to the user or offering to install it.
- Privilege Escalation (MEDIUM): The skill encourages the use of the
-g(global) flag for installations. - Evidence: Global installations often affect the entire system environment rather than a local project, increasing the impact of a malicious package installation.
Recommendations
- AI detected serious security threats
Audit Metadata