The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill is designed to fetch and install new functional modules (skills) from external sources. According to SKILL.md, it can install from any GitHub repository provided by the user, including private ones.
Evidence: scripts/install-skill-from-github.py --repo <owner>/<repo> --path <path/to/skill> (referenced in SKILL.md).
REMOTE_CODE_EXECUTION (HIGH): The primary purpose of this skill is to place new executable code into the $CODEX_HOME/skills directory. This is a direct mechanism for Remote Code Execution (RCE) once the agent environment is restarted or the new skills are loaded.
Evidence: SKILL.md instructions: "After installing a skill, tell the user: 'Restart Codex to pick up new skills.'"
CREDENTIALS_UNSAFE (MEDIUM): The utility scripts/github_utils.py automatically retrieves GITHUB_TOKEN or GH_TOKEN from the environment and includes it in the Authorization header for network requests.
Evidence: github_utils.py lines 13-16: token = os.environ.get("GITHUB_TOKEN") or os.environ.get("GH_TOKEN"); if token: headers["Authorization"] = f"token {token}".
Risk: If a user provides a malicious repository URL, the script may transmit the user's secret GitHub token to an attacker-controlled endpoint.
COMMAND_EXECUTION (LOW): The skill requires elevated permissions within the sandbox to perform network requests and write to the file system.
Evidence: SKILL.md states: "All of these scripts use network, so when running in the sandbox, request escalation when running them."

skill-installer