The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements a workflow that automatically executes scripts found in newly downloaded/updated skills. Specifically, scripts/install-skills.py identifies 'pending' skills and then searches for and executes install.sh or install.py within the downloaded directories using subprocess.run.
[COMMAND_EXECUTION]: The scripts/install-skill-from-github.py script uses subprocess.run to execute git commands, including git clone and git sparse-checkout. While primarily for downloading, this involves spawning system processes based on external repository inputs.
[EXTERNAL_DOWNLOADS]: The skill is designed to download content from arbitrary GitHub repositories. If a requested skill is not found in the default repository (DuffyCoder/awesome-sophnet-skills), it explicitly prompts the user to provide an alternative GitHub repository and path, then proceeds to download and extract content from that source.
[DATA_EXFILTRATION]: The scripts/github_utils.py and other scripts access the GITHUB_TOKEN or GH_TOKEN environment variables to authenticate requests to the GitHub API. While this is a common pattern for increasing rate limits or accessing private repos, it represents a credential access pattern.

sophnet-skill-installer