tooluniverse-install-skills
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill performs a git clone from https://github.com/mims-harvard/ToolUniverse.git. This source is not on the trusted organizations list, posing a risk of downloading unverified or malicious content.
- COMMAND_EXECUTION (MEDIUM): The skill uses mkdir and cp -r to inject downloaded files into sensitive dot-directories such as .cursor/skills, .claude/skills, and .gemini/skills which are used by AI agents for capability expansion.
- REMOTE_CODE_EXECUTION (HIGH): By moving unverified markdown and script files from an external repository into the agent's active skills path, the skill establishes a 'download and execute' pattern where the new code is executed by the agent.
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection. Evidence Chain: (1) Ingestion point: GitHub repository; (2) Boundary markers: Absent; (3) Capability inventory: mkdir, cp, rm, git; (4) Sanitization: Absent. The skill installs instructions from an external source into the agent context without validation.
Recommendations
- AI detected serious security threats
Audit Metadata