skill-create-flow

================================================================================

🟡 VERDICT: MEDIUM

This skill provides a workflow for creating new agent skills. The analysis found that its installation instructions involve downloading code from an external GitHub repository (okwinds/miscellany) that is not on our list of trusted sources. While the skill itself appears benign, the content of this external repository cannot be verified by this analysis, posing a potential risk if the external source were compromised. This analysis has been performed only on files directly distributed with the skill.

Total Findings: 2

🟡 MEDIUM Findings: • Unverifiable Dependency

• README.md Line 49: The installation instructions recommend using npx openskills install https://github.com/okwinds/miscellany. This command downloads and executes code from an external GitHub repository (okwinds/miscellany) which is not on the list of trusted sources. The contents of this repository cannot be verified at analysis time, posing a risk of executing unvetted external code.

🔵 LOW Findings: • Command Execution (File System Modification)

• README.md Line 30: The installation instructions include commands like mkdir, rm -rf, cp -R, and ln -s. These commands modify the local file system to install the skill. While these are standard operations for skill installation and typically operate within user-level permissions (e.g., in ~/.codex/skills), they involve direct command execution to modify the user's environment.

================================================================================