skill-management
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (MEDIUM): The script
skills-cli.tsusesnpxto search for and install packages (e.g.,npx skills add). Sincenpxdownloads and executes code from the npm registry at runtime, it introduces a risk of remote code execution if the package source is compromised or if typosquatting occurs. - [COMMAND_EXECUTION] (MEDIUM): Several scripts (
search.ts,skills-cli.ts) useBun.spawnto execute external binaries likeghandnpx. While using array-based arguments helps prevent shell injection, these commands execute system-level operations with parameters derived from external skill data. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and processes untrusted data from other skills.
- Ingestion points:
scripts/interactive.tsreads generated analysis files (e.g.,/tmp/skill-assessment-prompt.md) containing content from third-party skills. - Boundary markers: None. Untrusted content from the audited skills is placed directly into the configuration for the
interviewtool. - Capability inventory: The skill can install or update other skills via
Bun.spawn, which an attacker could exploit to trigger the installation of malicious tools. - Sanitization: There is no evidence of escaping or sanitizing the content before it is presented to the agent in a decision-making context.
- [EXTERNAL_DOWNLOADS] (LOW):
scripts/search.tsinitiates outbound network requests toskills.shto fetch trending metadata, which is a non-whitelisted external domain.
Audit Metadata