skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The script downloads files from any user-provided GitHub URL without restriction or verification of source trustworthiness.
- REMOTE_CODE_EXECUTION (HIGH): The skill installs and prepares executable scripts from external sources, placing them in the agent's skill directory for future execution.
- Path Traversal (HIGH): The 'skillName' variable is extracted from the URL without sanitization. A URL ending in '..' causes the script to resolve the target directory to the parent folder (e.g., '.github/skills/..'), allowing it to overwrite or delete critical files such as GitHub Actions workflows.
- COMMAND_EXECUTION (MEDIUM): Documentation encourages marking downloaded scripts as executable (chmod +x) and running them directly, increasing the risk of executing malicious logic.
- Indirect Prompt Injection (LOW): The skill ingests untrusted data from external repositories. A malicious skill could contain prompt injections in its SKILL.md to subvert agent behavior. (1) Ingestion points: Files downloaded from GitHub. (2) Boundary markers: None. (3) Capability inventory: File system write, directory removal, and suggested script execution. (4) Sanitization: None.
Recommendations
- AI detected serious security threats
Audit Metadata