skills-ref
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill contains instructions (in SKILL.md and references/format.md) to download a script from 'https://astral.sh/uv/install.sh' and pipe it directly to a shell ('| sh'). This is a dangerous execution pattern that bypasses local file inspection.
- EXTERNAL_DOWNLOADS (MEDIUM): The skill uses 'uvx --from skills-ref agentskills', which dynamically fetches and executes the 'skills-ref' package from an external registry. This introduces a supply chain risk as the package is not pinned to a specific hash or reviewed locally.
- COMMAND_EXECUTION (LOW): The skill executes multiple local shell commands and a bundled script ('scripts/generate-skills-xml.sh') to perform directory scanning and file modification.
- PROMPT_INJECTION (LOW): The skill exhibits an Indirect Prompt Injection surface (Category 8) by aggregating data from untrusted files into the project's primary instruction file.
- Ingestion points: SKILL.md files within the user-specified skills directory.
- Boundary markers: Absent. The data is wrapped in XML tags, but there are no instructions for the agent to ignore instructions embedded within those tags.
- Capability inventory: The skill can execute shell commands via 'uvx' and modify 'CLAUDE.md', which controls agent behavior.
- Sanitization: Absent. The bash script performs raw string extraction without escaping content that could be used for markdown or XML injection.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata