skill-installer
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the 'subprocess' module in 'scripts/install-skill-from-github.py' to execute git commands (clone and sparse-checkout). This is the primary mechanism for retrieving skill source code. The implementation mitigates injection risks by passing arguments as a list rather than a shell string.
- [EXTERNAL_DOWNLOADS]: The skill fetches content from 'github.com', 'api.github.com', and 'codeload.github.com'. It facilitates the download of third-party code, which is its primary function. Downloads are restricted to the well-known GitHub service.
- [CREDENTIALS_UNSAFE]: The 'scripts/github_utils.py' script retrieves 'GITHUB_TOKEN' or 'GH_TOKEN' from environment variables to authenticate API requests. This is a standard practice for managing GitHub API rate limits and accessing private repositories.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted data from external repositories. Ingestion points: GitHub API and repository contents ('scripts/list-skills.py', 'scripts/install-skill-from-github.py'). Boundary markers: None identified. Capability inventory: Subprocess execution of git, file system writing via 'shutil.copytree'. Sanitization: Includes relative path validation and ZipSlip protection during archive extraction.
- [SAFE]: The code includes defensive measures such as '_safe_extract_zip' which validates that extracted files reside within the intended destination directory, preventing path traversal attacks.
Audit Metadata