skill-system-installer
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads repository archives and curated skill catalogs from GitHub. The default sources are verified repositories belonging to OpenAI, a trusted organization.
- [COMMAND_EXECUTION]: It utilizes system commands like
gitfor efficient sparse checkouts and clones. All command execution is handled via Python'ssubprocessmodule using argument lists, which prevents shell injection. - [PROMPT_INJECTION]: The skill presents directory names and status information fetched from remote GitHub repositories to the user. This constitutes a surface for indirect prompt injection where a malicious repository owner could attempt to influence agent behavior through crafted directory names.
- Ingestion points: Repository content listings fetched via the GitHub API in
scripts/list-curated-skills.py. - Boundary markers: No specific delimiters or instruction-ignore warnings are applied to the generated list output in
SKILL.md. - Capability inventory: The skill is capable of writing files to the local file system (
fs.write) and executing subprocesses (proc.exec) to facilitate skill installation. - Sanitization: Directory names are extracted as strings from JSON API responses without additional sanitization or character filtering before display.
Audit Metadata