The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The github_utils.py script retrieves GITHUB_TOKEN or GH_TOKEN from environment variables and attaches it to the Authorization header of any request made via the github_request function. Because the function does not validate that the target URL belongs to a trusted GitHub domain, a malicious or manipulated URL could cause the token to be sent to an attacker-controlled server.
[REMOTE_CODE_EXECUTION] (HIGH): The skill's primary function is to download and install executable code from external sources into $CODEX_HOME/skills. This is a controlled form of Remote Code Execution by design, as any script downloaded from a third-party repository will be executed by the agent system upon restart.
[EXTERNAL_DOWNLOADS] (HIGH): The skill facilitates downloading content from arbitrary GitHub repositories. While it defaults to the trusted openai/skills organization, the --repo and --url parameters allow the agent to download and install code from any public or private repository, bypassing standard safety vetting for the installed content.
[DATA_EXFILTRATION] (MEDIUM): The credential leakage flaw in github_utils.py provides a direct path for data exfiltration. Additionally, the skill's ability to list and read the contents of the local $CODEX_HOME/skills directory could be used to expose the system's current capabilities to an external observer.
[INDIRECT_PROMPT_INJECTION] (LOW):
Ingestion points: scripts/list-skills.py fetches directory names from remote repositories using the GitHub API.
Boundary markers: None. The directory names are printed directly to the user as a list of available skills.
Capability inventory: The skill can write files to the filesystem and execute network requests.
Sanitization: No sanitization is performed on the names of directories retrieved from GitHub. An attacker could name a directory to contain malicious instructions that the agent might follow when presenting the list to the user.

skill-installer