skill-manager
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The update workflow described in 'SKILL.md' explicitly instructs the agent to fetch content from remote repositories and '更新 wrapper.py' (update wrapper.py). Because wrapper scripts are executable, this allows a remote attacker who controls the source repository to execute arbitrary code on the user's system.
- [COMMAND_EXECUTION]: The script 'scripts/scan_and_check.py' uses 'subprocess.run' to execute 'git ls-remote' using URLs extracted from skill metadata. While it uses argument lists to prevent shell injection, it allows execution of git commands targeting any URL provided in an external SKILL.md file.
- [EXTERNAL_DOWNLOADS]: The skill performs automated network operations to check for updates and encourages the agent to download files from remote 'source_url' locations, which may not be verified.
- [DYNAMIC_EXECUTION]: 'scripts/evo_manager.py' modifies the Python module search path at runtime using 'sys.path.insert(0, ...)' to load dependencies from a relative directory ('skill-evolution/scripts'), which can be exploited if an attacker can control the directory structure.
- [DATA_EXPOSURE]: 'scripts/delete_skill.py' provides the capability to recursively delete directories using 'shutil.rmtree'. While intended for skill removal, it represents a high-impact file system operation that relies on the agent correctly identifying the target directory.
Recommendations
- AI detected serious security threats
Audit Metadata