find-skills
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands like 'npx skills find' and 'npx skills add' to manage functionality within the agent environment.
- [EXTERNAL_DOWNLOADS]: It identifies and fetches external packages from GitHub and the skills.sh ecosystem, including references to established sources like Vercel Labs.
- [REMOTE_CODE_EXECUTION]: The 'npx skills add' command installs remote code into the agent's workspace. The instructions specify using the '-y' flag, which suppresses confirmation prompts during the installation of these external components.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from search results (package names and descriptions) which are then presented to the user or used in installation commands.
Audit Metadata