skill-importer
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill's core functionality is to fetch content from external sources defined in
assets/skill-sources.yaml. The primary source listed (https://github.com/kehwar/frappe) is not a trusted organization or repository, violating the trust-scope-rule. - REMOTE_CODE_EXECUTION (HIGH): The imported 'skills' are intended to be executed or interpreted by the AI agent. By facilitating the download of these scripts and markdown instructions into the local
.github/skills/directory without verification, the skill enables a Remote Code Execution (RCE) vector. - COMMAND_EXECUTION (MEDIUM): The documentation in
SKILL.mdprovides explicit instructions for the agent to execute shell commands, includinggit clone,cp -r, and running a local Python script (scripts/import_skills.py) to modify the local file system. - INDIRECT PROMPT INJECTION (LOW): The skill creates an attack surface for indirect prompt injection by processing data from untrusted external repositories.
- Ingestion points: Remote GitHub repositories listed in
assets/skill-sources.yaml. - Boundary markers: Absent; there are no delimiters or warnings to ignore instructions within the imported content.
- Capability inventory: The skill possesses the ability to write to the local file system and execute shell commands.
- Sanitization: Absent; the process involves a direct copy of remote files into the local skill directory.
Recommendations
- AI detected serious security threats
Audit Metadata