Skills
skills/jackiexiao/jackie-skills-starter/find-skills/Gen Agent Trust Hub

find-skills

Fail

Audited by Gen Agent Trust Hub on Feb 22, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill provides instructions to execute npx skills add <package> -g -y. The inclusion of the -y flag is high-risk as it explicitly instructs the agent to skip confirmation prompts when installing and potentially executing third-party code from remote sources.
  • [COMMAND_EXECUTION] (MEDIUM): The instructions direct the agent to run npx skills find [query] using queries derived from user input. This creates a command injection vulnerability if the user provides shell metacharacters (e.g., ;, &, |) in their request which the agent then interpolates into the bash command.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's primary purpose is to facilitate the download and installation of external packages from https://skills.sh/ and GitHub. While vercel-labs/agent-skills is a trusted source, the tool allows installation from any unverified third-party repository.
  • [PROMPT_INJECTION] (LOW): As a meta-skill that processes user input to perform searches, it is susceptible to prompt injection where a user might attempt to manipulate the [query] to execute unintended commands or bypass the skill's logic.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 22, 2026, 04:37 AM