skill-manager
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS & REMOTE_CODE_EXECUTION (HIGH): The skill's primary purpose is to download scripts from user-provided GitHub URLs and place them in the
~/.claude/skills/directory. Since Claude Code skills are executable extensions, this allows for the installation and subsequent execution of unvetted third-party code. - Evidence: Instructions explicitly direct the agent to run
install-skill.sh "<github-url>"andupdate-skill.sh <skill-name>. - INDIRECT PROMPT INJECTION (HIGH): The skill ingests data from external GitHub repositories (Tier: External content + write/execute capability). A malicious repository could contain instructions in its metadata or README designed to trick the agent during the installation or update review process (e.g., hiding malicious code in a large diff).
- Ingestion points: GitHub URLs provided by users and upstream updates.
- Boundary markers: Absent in instructions.
- Capability inventory:
install-skill.sh,update-skill.sh,uninstall-skill.sh(shell script execution and file system modification). - Sanitization: None specified; relies on user review of diffs.
- COMMAND_EXECUTION (MEDIUM): The skill relies on a suite of shell scripts to perform system operations (file moves, git commands, network requests via curl). While the scripts themselves are not provided, the pattern of executing shell scripts with user-supplied arguments (URL, skill-name) carries an inherent risk of command injection if arguments are not properly sanitized within the
.shfiles.
Recommendations
- AI detected serious security threats
Audit Metadata