skill-manager
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMNO_CODEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [NO_CODE]: The core functionality is implemented in external scripts (
scripts/analyze-interactive.shandscripts/skill-manager-cli) that are not included in the skill definition, preventing a full security review of the operations performed.\n- [REMOTE_CODE_EXECUTION]: The skill usesnpx skillsto perform removal actions. This involves downloading and executing a package from the npm registry at runtime, which is an unverified external dependency.\n- [DATA_EXFILTRATION]: The skill targets sensitive file paths used by AI coding assistants, such as~/.claude/,~/.cursor/, and~/.copilot/. Access to these directories could lead to the exposure of configuration data or personal skill files.\n- [COMMAND_EXECUTION]: Multiple bash scripts and CLI tools are invoked to handle backups and skill management, granting the skill significant control over the local file system.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface.\n - Ingestion points: Skill definitions are read from
~/.claude/skills/,~/.config/opencode/skills/,~/.cursor/skills/, and~/.copilot/skills/.\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when processing these external files.\n
- Capability inventory: The skill has the capability to execute shell scripts (
bash) and package manager commands (npx) based on the results of its analysis.\n - Sanitization: There is no evidence of sanitization or validation of the content within the external skills being analyzed.
Audit Metadata