skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill's primary function is to download and install new executable skills into the agent's environment ($CODEX_HOME/skills). This allows for arbitrary code execution if a malicious repository is targeted.
- EXTERNAL_DOWNLOADS (HIGH): The script install-skill-from-github.py (referenced in SKILL.md) performs direct downloads or git sparse checkout from remote repositories. While the curated source 'openai/skills' is a Trusted External Source (downgrading that specific reference to LOW), the skill's own behavior enables installation from any source, maintaining HIGH severity.
- CREDENTIALS_UNSAFE (MEDIUM): github_utils.py accesses GITHUB_TOKEN and GH_TOKEN from environment variables and includes them in HTTP headers. This increases the risk of credential exposure if the skill logic is diverted to malicious endpoints.
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to indirect prompt injection. An attacker could provide a malicious URL in a context the agent reads (like a web page or file), leading to the installation of a backdoor skill. Evidence Chain: 1. Ingestion: repo/URL parameters from user/external context. 2. Boundary markers: None. 3. Capability: Network access, file write to executable paths, and token access. 4. Sanitization: None.
Recommendations
- AI detected serious security threats
Audit Metadata