anyone-to-skill
Fail
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
README.mdand installation instructions promote one-click installation viacurl -fsSL https://raw.githubusercontent.com/OpenDemon/anyone-to-skill/master/install.sh | bashand a similar PowerShell command. These scripts download and execute code from a remote repository at runtime. - [COMMAND_EXECUTION]: Several Python scripts, including
scripts/analyze_video.py,scripts/crawl.py,scripts/ingest.py, andscripts/distill.py, usesubprocess.runto execute shell commands for tools likeyt-dlp,ffmpeg, andpdftotext. These commands process external inputs such as YouTube URLs and file paths provided by the user. - [EXTERNAL_DOWNLOADS]: The skill fetches persona-specific
SKILL.mdfiles from various GitHub repositories under theOpenDemonorganization (e.g.,OpenDemon/elon-musk-skill) during the chat interface initialization. - [PROMPT_INJECTION]: The distillation pipeline (Mode 2) is vulnerable to indirect prompt injection. It ingests untrusted data from external sources like YouTube transcripts and user-uploaded chat logs to generate behavioral instructions in a new
SKILL.md. Malicious content in these transcripts could influence the resulting agent's persona or instructions. - Ingestion points: YouTube transcripts via
crawl.py, local files/chat logs viaingest.py. - Boundary markers: Uses simple delimiters like
---TRANSCRIPT---inanalyze_video.py. - Capability inventory: File system writes, shell command execution via
subprocess.run. - Sanitization: Relies on LLM summarization and structured prompts but lacks robust sanitization of the raw transcript data.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/OpenDemon/anyone-to-skill/master/install.sh - DO NOT USE without thorough review
Audit Metadata