skills-manager
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The script scripts/add.sh uses eval to execute a command string built from the $SOURCE and $SKILL_NAME variables. Since these variables are not sanitized, a malicious user or a prompt-injected agent could execute arbitrary shell commands. Evidence: eval $CMD in scripts/add.sh.
- [COMMAND_EXECUTION] (HIGH): The script scripts/clone.sh interpolates the $SOURCE variable directly into a git clone command. Lack of sanitization allows for command injection using shell metacharacters. Evidence: git clone --depth 1 "https://github.com/$SOURCE.git" in scripts/clone.sh.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill uses npx skills add to download and execute code from remote GitHub repositories. This behavior is inherently risky as it executes unverified third-party content. Evidence: npx skills add calls in add.sh, install.sh, and save.sh.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The clone.sh script downloads entire repositories from GitHub to a temporary directory before copying them. This facilitates the introduction of untrusted files to the local system. Evidence: git clone in scripts/clone.sh.
Recommendations
- AI detected serious security threats
Audit Metadata