Skills
skills/kjanat/skills/build-skill/Gen Agent Trust Hub

build-skill

Warn

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The main SKILL.md file instructs users to use uvx to download and run a tool from https://github.com/agentskills/agentskills.git. This repository is not included in the trusted vendors list.
  • [REMOTE_CODE_EXECUTION]: The recommendation to execute remote code using uvx with a direct link to a Git repository (github.com/agentskills/agentskills.git) allows for the execution of unverified logic within the agent's environment.
  • [COMMAND_EXECUTION]: The skill bundles three shell scripts (scripts/init_skill.sh, scripts/validate_skill.sh, and scripts/package_skill.sh) that perform local file system operations, create directory structures, and use system utilities like zip and find. These scripts are used for skill management and scaffolding.
  • [DATA_EXPOSURE]: The scripts/package_skill.sh file includes a proactive security measure by defining a list of sensitive file patterns (such as .env, .pem, id_rsa, and credentials) to be excluded automatically when packaging a skill into a zip file, reducing the risk of accidental credential exposure.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 3, 2026, 12:37 PM