install-skills
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill executes 'npx add-skill' in both scripts/install-skill.sh and scripts/list-skills.sh, which involves downloading and running an external package from the NPM registry at runtime.- [EXTERNAL_DOWNLOADS]: In scripts/install-skill.sh, the 'git clone' command is used to fetch code from remote GitHub repositories. While defaults are provided, the script supports any custom repository provided by the user or agent logic.- [COMMAND_EXECUTION]: The skill performs significant local file system modifications, including 'mkdir -p' and 'cp -r', to install remote code into sensitive persistence locations like '~/.copilot/skills/'. This enables the permanent addition of new executable logic to the agent.- [PROMPT_INJECTION]: The skill parses and displays descriptions from remote SKILL.md files (scripts/install-skill.sh line 156), creating a surface for indirect prompt injection where malicious repository metadata could influence agent behavior.
- Ingestion points: scripts/install-skill.sh and scripts/list-skills.sh fetch data from remote GitHub contents.
- Boundary markers: None; remote content is parsed and displayed without delimiters or warnings.
- Capability inventory: File system write access, network access (git/curl), and remote package execution (npx).
- Sanitization: None; content is extracted using grep and sed without verification of the source or the payload.
Audit Metadata