add-new-skills-to-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill downloads content from user-provided GitHub URLs using a local Python script (
download_from_github.py). It lacks URL validation or whitelisting, allowing the agent to fetch data from any repository. - REMOTE_CODE_EXECUTION (HIGH): By downloading "skills" (which typically include scripts and instructions) and then instructing the agent to "Read... to understand... how it fits into the workflow pipeline," the skill facilitates the introduction and potential execution of untrusted code into the agent's workflow.
- COMMAND_EXECUTION (MEDIUM): The skill uses
pythonto execute a local downloader script with arguments derived from untrusted user input (the GitHub URL), which could be manipulated. - PROMPT_INJECTION (LOW): This skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data.
- Ingestion points:
SKILL.mdfile downloaded from a remote GitHub repository in Step 2. - Boundary markers: None. The agent is instructed to read the file content directly without delimiters or safety warnings.
- Capability inventory: The agent can execute commands (Step 1), read files (Step 2), and write to multiple documentation and configuration files (Step 3 and 4).
- Sanitization: None. The skill does not describe any validation or sanitization of the downloaded skill content before the agent interprets it.
Recommendations
- AI detected serious security threats
Audit Metadata