skill-install
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- External Downloads & Unverifiable Dependencies (HIGH): The skill fetches content from arbitrary GitHub URLs provided by the user. It downloads executable scripts and configuration files from untrusted sources and writes them to the local filesystem.
- Evidence: Step 4 and Step 7 in SKILL.md describe fetching raw content from
raw.githubusercontent.comand writing it to~/.claude/skills/. - Persistence Mechanisms (HIGH): The primary purpose of this skill is to install new capabilities that persist across sessions. By writing to the
~/.claude/skills/directory, it modifies the agent's long-term behavior and environment. - Evidence: Step 7 explicitly details creating directories and writing files to the local user profile's skill store.
- Indirect Prompt Injection (LOW): The skill is highly vulnerable to indirect prompt injection. It ingests untrusted
SKILL.mdfiles and scripts which are then passed directly into a 'Security Scan' prompt. An attacker can include instructions within a malicious skill to trick the scanner into returning a 'SAFE' verdict. - Ingestion points: GitHub raw content (SKILL.md, scripts/)
- Boundary markers: Absent. The content is interpolated directly into the security prompt template.
- Capability inventory:
WebFetch(network),Write(file-write), and the ability to set file permissions (executable). - Sanitization: None. The skill does not sanitize or escape the downloaded content before processing it.
- Privilege Escalation & Command Execution (HIGH): The skill explicitly attempts to grant execution permissions to downloaded scripts, which can lead to arbitrary code execution with the agent's privileges.
- Evidence: Step 7, point 3: 'Ensure proper file permissions (executable for scripts)'.
Recommendations
- AI detected serious security threats
Audit Metadata