skill-installer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill facilitates downloading code from GitHub. While it defaults to a trusted organization, it explicitly supports arbitrary repositories and private repos via the
--repoand--urlarguments, as described inSKILL.md. - REMOTE_CODE_EXECUTION (HIGH): The skill's core purpose is to download executable code and place it into the agent's execution directory (
$CODEX_HOME/skills). The documentation inSKILL.mdinstructs the user to restart the agent to 'pick up new skills', which results in the execution of the downloaded content. - COMMAND_EXECUTION (MEDIUM): The skill documentation suggests overwriting system-level skills (
.system) if a user 'insists', which could lead to tampering with the core agent's behavior. - CREDENTIALS_UNSAFE (LOW): In
scripts/github_utils.py, the skill accessesGITHUB_TOKENorGH_TOKENfrom the environment. While currently only sent toapi.github.com(a whitelisted domain), the exposure of this token to newly installed (and potentially malicious) skills is a significant risk. - INDIRECT_PROMPT_INJECTION (MEDIUM): The script
scripts/list-skills.pyingests untrusted data from the GitHub API. - Ingestion points: Fetches directory contents from GitHub repositories via the API contents endpoint.
- Boundary markers: None; external data (file names) is directly incorporated into the agent's response list.
- Capability inventory: Writing to the filesystem and installing code that will be executed upon restart.
- Sanitization: None; file names and paths are processed as-is from the API response.
Recommendations
- AI detected serious security threats
Audit Metadata