skill-installer
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches skill listings and file content from GitHub.
- Evidence: The skill connects to api.github.com and codeload.github.com in scripts/list-curated-skills.py and scripts/install-skill-from-github.py.
- Context: The default source is openai/skills, which is a trusted organization.
- [COMMAND_EXECUTION]: Uses the git command-line tool via subprocess to download repository content.
- Evidence: Employs subprocess.run for git clone and sparse-checkout operations in scripts/install-skill-from-github.py.
- [DATA_EXFILTRATION]: Handles GitHub tokens for authenticated requests.
- Evidence: The github_utils.py script reads GITHUB_TOKEN from environment variables and provides it to GitHub API endpoints.
Audit Metadata