The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill facilitates downloading content from external sources to install new capabilities.
It fetches repository metadata and directory listings via the GitHub API from api.github.com.
It downloads ZIP archives of skill repositories from codeload.github.com.
While the default source is a trusted repository, the tool is designed to support installation from arbitrary, unverified GitHub repositories.
[COMMAND_EXECUTION]: The installation script executes system commands to manage repository content.
The _run_git function in scripts/install-skill-from-github.py uses subprocess.run to call the git executable.
It performs operations such as clone, sparse-checkout, and checkout on remote URLs provided by the user or derived from inputs.
[CREDENTIALS_UNSAFE]: The helper utility github_utils.py programmatically accesses sensitive environment variables.
It attempts to retrieve GITHUB_TOKEN or GH_TOKEN from the environment to include in the Authorization header for GitHub API requests.
This allows the skill to access and download from private repositories, which could lead to credential exposure if the environment is compromised or if tokens are logged.
[PROMPT_INJECTION]: The SKILL.md file contains instructions aimed at altering the agent's runtime security constraints.
It explicitly directs the agent to "request escalation when running" the helper scripts in a sandbox environment.
This represents an attempt to bypass standard execution restrictions and obtain higher privileges than the default configuration intended.
[DATA_EXFILTRATION]: The skill performs local reconnaissance on the agent's environment.
The _installed_skills function in scripts/list-curated-skills.py reads the contents of the $CODEX_HOME/skills directory.
This information about the system state and installed extensions is then output to the agent's context.

skill-installer