related-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill is designed to fetch and install external packages from the
inference.shregistry. This registry is not part of the defined list of trusted sources, making the downloaded content unverifiable. - REMOTE_CODE_EXECUTION (MEDIUM): The use of
npx skillsfacilitates the execution of remote scripts. Whennpx skills addis called, it downloads and integrates new code into the agent's environment. While this is the primary purpose of the skill, the execution of remote, untrusted code remains a significant security surface. - COMMAND_EXECUTION (MEDIUM): The
allowed-toolssection uses a wildcardBash(npx skills *). This grants the agent broad permissions to execute any subcommand of theskillspackage, which includes modifying the local environment via additions, updates, or removals. - PROMPT_INJECTION (LOW): The skill exhibits an indirect prompt injection surface (Category 8).
- Ingestion points: Data enters the agent context via
npx skills searchandnpx skills listwhich return external content from the inference.sh registry. - Boundary markers: None are present in the prompt instructions to tell the agent to ignore instructions embedded in registry metadata.
- Capability inventory: The skill can execute shell commands and install new code (
npx skills add). - Sanitization: There is no evidence of sanitization or validation of the external registry data before it is presented to or acted upon by the agent.
Audit Metadata