The Agent Skills Directory

REMOTE_CODE_EXECUTION (CRITICAL): The skill is designed to fetch, download, and install external 'skills' (which contain executable logic and instructions) from any GitHub repository into the agent's home directory ($CODEX_HOME/skills). This allows for arbitrary code execution if a user is directed to install a malicious repository.
CREDENTIALS_UNSAFE (HIGH): The scripts/github_utils.py file automatically attaches the GITHUB_TOKEN or GH_TOKEN environment variables to requests. Because the repository and path are user-controllable via CLI arguments in list-curated-skills.py, an attacker could potentially trick the tool into sending the token to a malicious API endpoint (SSRF/Credential theft).
COMMAND_EXECUTION (HIGH): The documentation in SKILL.md indicates that the installer scripts use git sparse checkout and direct downloads, and explicitly instructs the agent to 'request escalation' (sudo/admin access) when running in a sandbox environment.
EXTERNAL_DOWNLOADS (HIGH): The skill performs unverified downloads from remote sources. While it defaults to openai/skills (a trusted organization), it provides explicit functionality to download from any arbitrary --repo or --url provided by a user or an attacker.
INDIRECT PROMPT INJECTION (HIGH): The skill processes directory names and metadata from remote GitHub repositories without sanitization. An attacker controlling a repository could use malicious directory names or skill metadata to influence the agent's behavior during the 'list' or 'install' phases.
PERSISTENCE MECHANISM (HIGH): By installing files into the $CODEX_HOME/skills directory, the skill creates a permanent presence in the agent's environment that persists across sessions and is automatically loaded on restart.

skill-installer