Skills
skills/jdrhyne/agent-skills/skill-sync/Gen Agent Trust Hub

skill-sync

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill clones and pulls content from a remote GitHub repository (https://github.com/PSPDFKit/clawdbot-skills.git). This is a central part of its 'sync' functionality but represents an external dependency.
  • [COMMAND_EXECUTION]: The script uses chmod +x on downloaded files within the scripts/ directory of installed skills. This automatically grants execution permissions to any script files fetched from the remote repository.
  • [COMMAND_EXECUTION]: The skill executes several system commands including git, mkdir, rm -rf, cp -r, and the gh CLI for pull request creation.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes SKILL.md files from the remote repository to extract descriptions for the list and push commands. If the remote repository is compromised, malicious instructions could be embedded in these files to influence the agent's behavior during the sync process.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 05:35 AM