skill-installer

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No direct indicators of malicious code in the installer description itself — network calls target GitHub and use standard methods, and environment variables requested are reasonable for private repo access. However, this skill materially increases supply-chain risk because it installs arbitrary repository content into the agent's skills directory and can use tokens or host git credentials to access private repos. Treat the installer as 'suspicious' from a supply-chain perspective: the tool is functionally correct for installing skills but grants the ability to pull and place code that will be executed by the agent. Operators should verify sources, restrict tokens, and avoid running with elevated privileges or allowing automatic execution of fetched code. LLM verification: SUSPICIOUS: The skill's stated purpose (installing skills from curated or arbitrary GitHub repos) matches its capabilities, but the design grants the ability to fetch arbitrary repositories (including private ones via tokens), write/overwrite code into the agent's runtime skills directory, and requests escalated execution privileges in sandboxed environments. Those behaviors are coherent with an installer but are high-risk for supply-chain compromise because installed skill code will be executed