skills-manager
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Remote Code Execution (HIGH): The skill enables the installation of content from arbitrary sources using the command
npx skills add <source> -g -y. Because<source>can be a direct GitHub URL, this pattern allows for downloading and immediately executing untrusted code with the user's permissions, skipping all confirmation prompts. - External Downloads (HIGH): The skill facilitates fetching executable scripts and configuration files from unverified third-party registries and GitHub repositories, creating a significant supply-chain risk.
- Command Execution (MEDIUM): The skill relies on executing system-level commands via
bunandnpxto perform its core functions. While intended for management, these capabilities provide a broad surface for command injection if inputs are not strictly validated. - Indirect Prompt Injection (LOW): The
inspectandvalidatefunctions read the contents of external files (SKILL.md and scripts) into the agent's context. A malicious skill could be crafted to include hidden instructions that hijack the agent's behavior during these management operations. - Evidence for Category 8:
- Ingestion points:
inspectandvalidatecommands (reading local and remote skill files). - Boundary markers: None provided in the command usage.
- Capability inventory: Subprocess execution (bun, npx), global skill installation, file system access.
- Sanitization: No sanitization or escaping of external skill content is indicated before processing.
Recommendations
- AI detected serious security threats
Audit Metadata