skill-installer
Warn
Audited by Snyk on Mar 14, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The skill's scripts (scripts/list-skills.py and scripts/install-skill-from-github.py) explicitly fetch content from GitHub (via the GitHub API and codeload/git clone of arbitrary owner/repo or user-provided URLs) and install those public or user-supplied repo files into $CODEX_HOME/skills, meaning untrusted third-party content is ingested and can materially alter the agent's behavior by adding new skills.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The installer scripts fetch repository contents at runtime from GitHub (e.g. https://codeload.github.com/{owner}/{repo}/zip/{ref} and https://api.github.com/repos/{repo}/contents/{path}?ref={ref}), and those fetched SKILL.md and repo files can directly control agent prompts or include code that the skill system will install and run, so this is a required external dependency that can control agent behavior.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata