find-skills
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of external software packages from GitHub or the
skills.shregistry. It specifically identifiesvercel-labs/agent-skills(a trusted organization) as a source, but thenpx skills addcommand can be directed to fetch content from any unverified user or repository.- [COMMAND_EXECUTION]: Instructs the agent to run subprocesses using thenpxutility. Specifically, it usesnpx skills findfor search andnpx skills add <package> -g -yfor installation. The use of the-yflag is particularly notable as it bypasses interactive confirmation prompts, allowing for silent installation of external code.- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection via tool output poisoning. The agent is instructed to process and present search results from an external registry. If a malicious package is registered with a deceptive name or description, the agent might ingest and potentially follow instructions embedded in that metadata. - Ingestion points: Output of the
npx skills findcommand processed by the agent. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are provided for the search result processing step.
- Capability inventory: The skill possesses the capability to execute shell commands and install software via
npx. - Sanitization: There is no evidence of sanitization or validation of the text returned from the skills registry before it is presented to the user or acted upon.
Audit Metadata