skills-master
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The
playwright-protemplate includes a script atassets/skill-templates/playwright-pro/scripts/launch-chrome.shthat accesses and clones sensitive browser profile files, includingCookiesandLogin Data, to maintain session states for analysis. - [EXTERNAL_DOWNLOADS]: The
update-skills-mastertemplate contains logic inassets/skill-templates/update-skills-master/scripts/update_skills_master.pyto pull and replace the local skill library using code from the author's remote GitHub repository (github.com/lone-yu-cmd/AI-Coding-Paradigm.git). - [COMMAND_EXECUTION]: Multiple components, such as
scripts/install.pyandassets/skill-templates/add-in-skills-master/scripts/add_skill.py, use thesubprocessmodule to execute shell commands for file operations, package management (npm), and Git operations. - [PROMPT_INJECTION]: The
skill-creatorcomponent (assets/skill-templates/skill-creator/SKILL.md) utilizes strong directive language, such as "CRITICAL: You MUST invoke this skill IMMEDIATELY," to enforce specific AI behavior and path conventions. - [COMMAND_EXECUTION]: The
context-ai-synctemplate includesassets/skill-templates/context-ai-sync/scripts/install-hook.sh, which installs a Gitpre-commithook that executes logic automatically before commits. - [REMOTE_CODE_EXECUTION]: The update mechanism in
update-skills-masterallows for the replacement of local executable scripts with code fetched from the vendor's remote repository.
Audit Metadata