find-skills
Warn
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
npxcommand-line executor to run theskillsCLI, allowing the agent to perform search and management tasks within the shell environment. - [REMOTE_CODE_EXECUTION]: Through the
npx skills add <package>command, the agent can download and install code from external GitHub repositories. The instructions encourage the use of the-yflag, which skips confirmation prompts and allows the agent to execute unverified external code autonomously. - [EXTERNAL_DOWNLOADS]: The skill communicates with the
skills.shregistry and various GitHub repositories. Although it highlights trusted repositories from organizations like Vercel Labs, the underlying mechanism is open to any repository, including those from unverified or untrusted sources. - [PROMPT_INJECTION]: This skill presents a surface for indirect prompt injection because the agent processes and acts upon search results and metadata from an external, crowdsourced registry.
- Ingestion points: Data returned from
npx skills findand repository-level metadata (e.g., skill descriptions) provided by external authors. - Boundary markers: The skill lacks explicit delimiters or instructions to treat the search results as untrusted data, which may cause the agent to follow instructions embedded in a malicious skill's description.
- Capability inventory: The agent has the capability to execute shell commands and install software, which could be exploited by injected instructions.
- Sanitization: There is no evidence of sanitization or validation of the remote content before it is processed by the agent or presented to the user.
Audit Metadata