find-skills
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill instructs the agent to run shell commands using npx. Specifically, it recommends the command 'npx skills add -g -y', which installs software globally and skips all confirmation prompts, removing the user's opportunity to review the code.
- REMOTE_CODE_EXECUTION (HIGH): The primary purpose of this skill is to fetch and execute third-party logic from remote sources. This is a direct vector for remote code execution if search results are poisoned or if a target repository is malicious.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill facilitates downloading code from various GitHub repositories. While it mentions trusted sources like vercel-labs/agent-skills, the tool is open-ended and can pull from any user-defined or search-discovered repository.
- INDIRECT PROMPT INJECTION (LOW): As a discovery tool, it processes external search results from a registry. Maliciously crafted skill descriptions in the registry could influence the agent to install dangerous packages by misrepresenting their functionality.
Recommendations
- AI detected serious security threats
Audit Metadata