add-skill
Fail
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [DATA_EXFILTRATION]: The fetch_skill.py script is vulnerable to path traversal via the repository path parameter. Because the script uses the pathlib '/' operator to join a temporary directory with a user-supplied path that can be absolute (e.g., '/etc'), an attacker can bypass the intended temporary directory scope. If the target directory contains a 'SKILL.md' file, the script will copy its contents into the workspace, enabling unauthorized access to local files.
- [EXTERNAL_DOWNLOADS]: The skill is designed to fetch and install content from arbitrary GitHub URLs. This allows the introduction of unverified SKILL.md files and executable scripts into the agent's workspace, which could be used to host malicious instructions or backdoors.
- [COMMAND_EXECUTION]: The script executes several git commands using subprocess.run with arguments derived from user input. While the use of list-based arguments prevents shell injection, the logic allows an attacker to control the repository and branch used in the git operations.
- [CREDENTIALS_UNSAFE]: The script embeds the GITHUB_TOKEN environment variable directly into the repository URL for authentication. This practice can leak the token if the script fails and prints the URL in error logs or if the process environment is inspected during execution.
Recommendations
- AI detected serious security threats
Audit Metadata