Skills
skills/cityfish91159/maihouses/skill-marketplace/Gen Agent Trust Hub

skill-marketplace

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill is designed to fetch content from 'skillsmp.com' and various GitHub repositories. While the documentation mentions 'trusted sources', the mechanism allows for the dynamic addition of third-party executable skills at runtime.
  • REMOTE_CODE_EXECUTION (MEDIUM): By downloading and installing SKILL.md files and associated scripts into the .claude/skills/ directory, the skill facilitates the execution of remote code. The security depends entirely on the agent's ability to 'verify' the downloaded content before execution.
  • COMMAND_EXECUTION (LOW): The skill utilizes Bash and Write tools to install and manage the downloaded skills. It explicitly mentions executing node commands to run the marketplace scripts.
  • PROMPT_INJECTION (LOW): The skill relies on parsing third-party SKILL.md files. Maliciously crafted skill definitions could contain prompt injections designed to override the primary agent's instructions once the 'skill' is loaded into the context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:22 PM