The Agent Skills Directory

Remote Code Execution / External Downloads (HIGH): The skill is designed to fetch content from remote sources using curl, wget, and git clone and install it into directories where AI agents automatically discover and execute skills (e.g., ~/.agents/skills/). This provides a direct delivery mechanism for malicious agent instructions.- Indirect Prompt Injection (LOW): This skill exposes a massive attack surface by ingesting untrusted data from URLs provided by users or external references.
Ingestion points: remote URLs, git repos, and zip files.
Boundary markers: None; entire folders are copied as-is into execution paths.
Capability inventory: File system write access and network retrieval using system binaries.
Sanitization: No content validation or security scanning is performed on downloaded skills; it only checks for the presence of YAML frontmatter.- Persistence (HIGH): The skill enables permanent access for downloaded payloads by installing them into machine-specific global paths like ~/.agents/skills/ or ~/.claude/skills/, allowing malicious skills to persist across different projects and sessions.- Command Execution (MEDIUM): The skill relies on executing system-level commands (git, curl, wget) to interact with the network and performs significant file system operations, which could be exploited if harness-specific path mapping in harness-locations.md is manipulated.

skill-installer