acquiring-skills
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill provides explicit instructions to clone repositories from external sources using
git clone. One source (anthropics) is trusted, but the skill also promotes an untrusted source (letta-ai) and provides a template for arbitrary external repositories. - [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute shell commands (
git clone,cp,rsync,rm) to move executable content into the agent's operational paths (~/.letta/skills). - [REMOTE_CODE_EXECUTION] (HIGH): The workflow of downloading external scripts and then calling
Skill(command: "load")constitutes a remote code execution vector. The safety mechanism relies entirely on the agent's manual inspection of code, which is an unreliable security boundary. - [INDIRECT PROMPT INJECTION] (LOW): This skill establishes a large attack surface for indirect prompt injection.
- Ingestion points: External repositories cloned via git (SKILL.md).
- Boundary markers: The skill includes a 'SAFETY' section warning the agent, but these are instructions, not technical delimiters.
- Capability inventory: Includes filesystem write access (
cp/rsync), network access (git clone), and code loading (Skill(command: "load")). - Sanitization: None. The skill advises the agent to 'Understand what the script does' before execution, but provides no programmatic validation.
Audit Metadata