skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill's primary function is to download and install executable content from remote GitHub repositories. While it defaults to a trusted organization (openai), it explicitly supports installation from arbitrary, untrusted repositories.
- REMOTE_CODE_EXECUTION (HIGH): By installing downloaded scripts into the agent's active skill directory ($CODEX_HOME/skills), the skill acts as a delivery mechanism for third-party code that the agent is then instructed to run.
- COMMAND_EXECUTION (MEDIUM): The included scripts perform file system operations and network requests. The instructions explicitly ask for sandbox escalation, indicating high-privilege operations.
- CREDENTIALS_UNSAFE (LOW): The utility scripts access GITHUB_TOKEN and GH_TOKEN from the environment to facilitate API requests. While standard for GitHub tools, this exposes sensitive credentials to the skill's logic.
- INDIRECT PROMPT INJECTION (LOW): 1. Ingestion points: Data from GitHub API (file names and paths) processed in scripts/list-skills.py. 2. Boundary markers: Absent; data is printed directly to the agent. 3. Capability inventory: File system writes and network execution via referenced installation scripts. 4. Sanitization: None; external data is used directly for output and potentially path construction.
Recommendations
- AI detected serious security threats
Audit Metadata