skill-downloader
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (HIGH): The skill is designed to download content from any user-provided URL or GitHub repository. It explicitly promotes unvetted sources such as
skillhub.cluband various community GitHub accounts, which could host malicious scripts. - Dynamic Execution (HIGH): By 'installing' downloaded scripts into the agent's skill directory, the skill facilitates the execution of unverified third-party code. This is a primary attack vector for full system compromise if a malicious skill is downloaded and subsequently executed by the agent.
- Privilege Escalation (HIGH): In
scripts/download_from_archive.py, the use oftarfile.extractall()andzipfile.extractall()without path validation allows a specially crafted archive to write or overwrite files outside the intended target directory (e.g.,../../.ssh/authorized_keysor../../.bashrc). This is a classic 'Zip Slip' vulnerability. - Indirect Prompt Injection (LOW): This skill provides a significant surface for indirect injection. An attacker-controlled skill source can provide a
SKILL.mdfile with instructions designed to subvert the agent's behavior once the skill is processed or used. - Ingestion points:
scripts/download_from_archive.pyandscripts/download_from_github.pyfetch data from external URLs. - Boundary markers: None. The skill does not use delimiters or warnings when processing the downloaded content.
- Capability inventory: The skill has the ability to write to the filesystem, execute shell commands via
git, and download files from the network. - Sanitization: None. The only validation performed is checking for the existence of 'name' and 'description' keys in the YAML frontmatter.
Recommendations
- AI detected serious security threats
Audit Metadata