Skills
skills/hubeiqiao/skills/skillshare/Gen Agent Trust Hub

skillshare

Fail

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/run.sh downloads a compressed binary from github.com/runkids/skillshare/releases and executes it locally using exec. This pattern allows for the execution of unverified remote code on the host machine.
  • [EXTERNAL_DOWNLOADS]: The skill fetches update metadata and binary assets from GitHub APIs and release pages (api.github.com and github.com). These downloads originate from a repository account ('runkids') that does not match the identified author context or trusted vendor lists.
  • [COMMAND_EXECUTION]: The skill executes multiple shell and Git commands to manage the filesystem, create symlinks in sensitive application directories (e.g., ~/.claude/skills, ~/.cursor/skills), and manipulate Git repositories for synchronization.
  • [PROMPT_INJECTION]: The documentation in references/audit.md and references/install.md explicitly instructs the AI agent on how to bypass security audit gates using the --force and --skip-audit flags, effectively teaching the agent to ignore safety warnings when installing external content.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/runkids/skillshare/main/skills/skillshare/scripts/run.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 16, 2026, 08:51 AM