skill-consolidator
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill requires the execution of a Python script (
scan_installed_skills.py) that performs directory traversal on sensitive user paths, including~/.agents/skills,~/.codex/skills, and paths defined in theCODEX_HOMEenvironment variable. This is necessary for the skill's purpose but grants the agent broad visibility into the user's local tools. - [REMOTE_CODE_EXECUTION] (MEDIUM): The workflow (Step 6) instructs the agent to run
npx skills add <owner/repo@skill-name> -g -y, which downloads and installs remote code globally on the host machine. The use of the-yflag bypasses user confirmation for installation and execution. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes content from third-party skills, creating an attack surface where malicious metadata could influence agent behavior during the consolidation process.
- Ingestion points:
scripts/scan_installed_skills.py(readsSKILL.mdfiles from various local directories). - Boundary markers: Absent; descriptions and headings from external skills are directly interpolated into the
overlap_report.mdandinventory.json. - Capability inventory: The agent is authorized to write new files to the
./skills/directory and execute shell commands (python3,npx). - Sanitization: Parsing is performed via simple string splitting and regex tokenization with no validation of the content being extracted.
Audit Metadata