find-skills
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill heavily relies on
npxto execute theskillspackage manager and instructs the agent to install external packages usingnpx skills add. This process downloads and executes remote code on the host system. - [COMMAND_EXECUTION]: The skill provides instructions to execute shell commands with arguments derived from user input (e.g.,
npx skills find [query]). This presents a surface for command injection if the input is not properly sanitized. - [EXTERNAL_DOWNLOADS]: The skill facilitates downloading code from external sources like GitHub and the npm registry. It specifically recommends using the
-yflag during installation, which suppresses user confirmation prompts, increasing the risk of installing malicious content without oversight. - [DATA_EXPOSURE]: The skill interacts with the external domain
skills.shto fetch leaderboard data and search results, involving network operations that transmit user-driven search queries.
Audit Metadata