skill-installer
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads skill configuration and source code from GitHub using both the official GitHub API (
api.github.com) and ZIP archive downloads fromcodeload.github.com. - [COMMAND_EXECUTION]: The installation script invokes the system
gitcommand viasubprocess.runto perform cloning and sparse-checkout operations when installing skills from remote repositories. - [EXTERNAL_DOWNLOADS]: The skill implements a security check during ZIP extraction to ensure that files are not written outside of the intended destination directory, mitigating potential path traversal attacks.
Audit Metadata