skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill's primary purpose is to download and install external code into the agent's environment ($CODEX_HOME/skills). This allows for the execution of unverified remote scripts.
- [EXTERNAL_DOWNLOADS] (HIGH): Instructions in
SKILL.mdand parameters inscripts/list-skills.pyallow users to specify arbitrary GitHub repositories (--repo,--url). This bypasses safety controls by allowing the agent to ingest content from untrusted external sources. - [PROMPT_INJECTION] (HIGH): (Indirect) The skill fetches directory names from external repositories via the GitHub API and displays them to the user or processes them. An attacker could name a directory with malicious instructions (e.g., 'ignore-previous-instructions') to manipulate the agent's behavior during the listing process (Category 8).
- Ingestion point:
scripts/list-skills.pycalls the GitHub API to fetch repository contents. - Capability: The agent can write to the filesystem and potentially execute installed skills.
- Boundary markers: None present. The script directly parses JSON names from the API response.
- Sanitization: None. The script uses raw directory names directly from the remote source.
- [CREDENTIALS_UNSAFE] (MEDIUM):
scripts/github_utils.pyprogrammatically retrieves sensitive authentication tokens (GITHUB_TOKEN,GH_TOKEN) from the environment variables to include in API headers. - [COMMAND_EXECUTION] (LOW):
scripts/list-skills.pyperforms local filesystem operations (os.listdir,os.path.isdir) to check for already installed skills.
Recommendations
- AI detected serious security threats
Audit Metadata