skills-management
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill enables downloading third-party skills from GitHub and the skills.sh registry via the npx skills tool, which is associated with well-known developers.
- [REMOTE_CODE_EXECUTION]: Uses npx to execute the skills CLI for managing the skill ecosystem; this utility is maintained by a well-known organization and is used for its intended administrative purpose.
- [COMMAND_EXECUTION]: Uses Python scripts to perform file management and skill lifecycle operations across various AI agents.
- [PROMPT_INJECTION]: Processes external skill documentation and includes an auditing script (review_skill.py) that checks for malicious patterns like XML tags in frontmatter.
- [SAFE]: Implements defensive coding practices, such as path sanitization in install_skill.py and a structured assessment framework for evaluating external skills.
Audit Metadata