The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The skill's core purpose is to download and install executable code (scripts and instructions) into the agent's working directory ($CODEX_HOME/skills).
Evidence: The script scripts/install-skill-from-github.py accepts arbitrary --repo and --url arguments.
Impact: Successfully installing a malicious skill gives an attacker persistent influence over the agent's behavior and access to the host environment.
[EXTERNAL_DOWNLOADS] (HIGH): While the skill defaults to a trusted repository (openai/skills), it permits connections to any GitHub repository, including private ones using local credentials.
Evidence: Support for --repo <owner>/<repo> and fallback to git sparse checkout for arbitrary sources.
[COMMAND_EXECUTION] (MEDIUM): The installation process involves executing shell-level operations (git, curl) and requires sandbox escalation to function.
Evidence: Explicit instructions to 'request escalation when running' scripts due to network and file system requirements.
[INDIRECT_PROMPT_INJECTION] (HIGH): This skill represents a significant attack surface for indirect injection. The data ingested from external repositories (skill definitions) determines the agent's future logic and constraints.
Ingestion points: GitHub API (skill listing) and repository file contents (installation).
Boundary markers: None mentioned; the agent is expected to 'pick up new skills' immediately after restart.
Capability inventory: The skill has file-write access to the agent's skill directory and network access.
Sanitization: No sanitization or verification of the downloaded skill content is described.

skill-installer