add-skill
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill is designed to download specific directories from GitHub using git sparse-checkout. The implementation in fetch_skill.py allows fetching content from any GitHub repository owner and name provided in the user-supplied URL.
- [COMMAND_EXECUTION]: The script fetch_skill.py executes several git commands using subprocess.run. While the commands use argument lists, parameters such as the repository owner, name, and branch are derived directly from the input URL without strict validation.
- [REMOTE_CODE_EXECUTION]: By downloading and installing new skills into the .agents/skills/ directory, the skill introduces new instructions and potentially executable scripts that the agent will trust and use in future interactions. This creates a vector for executing untrusted logic if the source repository is malicious.
- [CREDENTIALS_UNSAFE]: The script retrieves the GITHUB_TOKEN from the environment and embeds it into the git clone URL (e.g., https://token@github.com/owner/repo.git). This transmits the token to GitHub's servers during the cloning process, which may expose it if the target repository is untrusted.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it fetches and processes unverified content from remote sources.
- Ingestion points: Fetches SKILL.md and directory contents from remote GitHub repositories.
- Boundary markers: No delimiters or safety warnings are added to the downloaded content before it is incorporated into the agent's environment.
- Capability inventory: Uses subprocess.run for system commands and shutil.copytree to write to the local filesystem.
- Sanitization: Validation is limited to checking for the existence of a SKILL.md file in the downloaded folder.
Audit Metadata