skill-marketplace

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) The skill-marketplace specification provides useful automation for discovering and using marketplace skills, but it creates a significant supply-chain execution path: remote SKILL.md and code are downloaded and may be executed locally with broad privileges (Bash, filesystem, network). The document lacks strong, mandatory integrity and sandboxing controls (cryptographic verification, pinned commits, containerized or constrained execution, network egress policies). While no direct malicious code is present in this file, the described runtime behavior is high-risk for credential theft, data exfiltration, and arbitrary code execution if an upstream listing or linked repo is malicious or compromised. Recommend not enabling auto-invoke/auto-install in sensitive environments; require cryptographic verification and execution sandboxing (or require human approval for any install that grants Bash/filesystem/network access) before use. LLM verification: This skill is potentially dangerous in practice because it downloads and executes third-party SKILL.md packages from an external marketplace. The capability aligns with its stated purpose, but the attack surface is large: remote code execution of unverified skills, possible execution of destructive shell commands (rm -rf), and potential for credential or data exposure if installed skills request or access secrets. The document lists some reasonable safety checks (allowed-tools, trusted_sources,