find-skills
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill provides automated instructions for downloading and installing packages from external repositories using the npx skills add command.
- [REMOTE_CODE_EXECUTION] (MEDIUM): Installation via 'npx skills add -g -y' executes remote code with global permissions while bypassing confirmation prompts, presenting a significant risk if the package source is untrusted or malicious.
- [COMMAND_EXECUTION] (LOW): Uses npx to run the skills CLI tool as part of its core functionality.
- [PROMPT_INJECTION] (LOW): (Category 8: Indirect Prompt Injection) 1. Ingestion points: User-provided search queries are interpolated into terminal commands. 2. Boundary markers: None present to isolate untrusted user data. 3. Capability inventory: Capability to install and execute arbitrary software. 4. Sanitization: No sanitization of user search input is described before command execution.
Audit Metadata